[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

US20160171217A1 - Entity ip mapping - Google Patents

Entity ip mapping Download PDF

Info

Publication number
US20160171217A1
US20160171217A1 US14/702,668 US201514702668A US2016171217A1 US 20160171217 A1 US20160171217 A1 US 20160171217A1 US 201514702668 A US201514702668 A US 201514702668A US 2016171217 A1 US2016171217 A1 US 2016171217A1
Authority
US
United States
Prior art keywords
addresses
domain name
entity
variations
weight
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/702,668
Other versions
US9372994B1 (en
Inventor
Aleksandr Yampolskiy
Rob Blackin
Samuel Kassoumeh
Nick Matviko
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SecurityScorecard Inc
Original Assignee
SecurityScorecard Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US14/702,668 priority Critical patent/US9372994B1/en
Application filed by SecurityScorecard Inc filed Critical SecurityScorecard Inc
Assigned to SECURITY SCORECARD, INC. reassignment SECURITY SCORECARD, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BLACKIN, ROB, HEID, ALEXANDER, YAMPOLSKIY, ALEKSANDR
Assigned to Security Scorecard reassignment Security Scorecard ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MATVIKO, NICK
Assigned to SECURITY SCORECARD, INC. reassignment SECURITY SCORECARD, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHOE, DANIEL, KASSOUMEH, SAMUEL, YAMPOLSKIY, ALEKSANDR
Assigned to SECURITY SCORECARD, INC. reassignment SECURITY SCORECARD, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BLACKIN, ROB, KASSOUMEH, SAMUEL, YAMPOLSKIY, ALEKSANDR
Priority to US15/155,745 priority patent/US10491620B2/en
Publication of US20160171217A1 publication Critical patent/US20160171217A1/en
Publication of US9372994B1 publication Critical patent/US9372994B1/en
Application granted granted Critical
Assigned to SecurityScorecard, Inc. reassignment SecurityScorecard, Inc. CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME PREVIOUSLY RECORDED AT REEL: 035687 FRAME: 0980. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: BLACKIN, ROB, KASSOUMEH, SAMUEL, YAMPOLSKIY, ALEKSANDR
Assigned to SecurityScorecard, Inc. reassignment SecurityScorecard, Inc. CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME PREVIOUSLY RECORDED ON REEL 035687 FRAME 0941. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: BLACKIN, ROB, HEID, ALEXANDER, YAMPOLSKIY, ALEKSANDR
Assigned to SecurityScorecard, Inc. reassignment SecurityScorecard, Inc. CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME PREVIOUSLY RECORDED AT REEL: 035688 FRAME: 0029. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: MATVIKO, NICK
Priority to US16/582,037 priority patent/US10931704B2/en
Assigned to SecurityScorecard, Inc. reassignment SecurityScorecard, Inc. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MATVIKO, NICK
Priority to US17/182,074 priority patent/US11750637B2/en
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SecurityScorecard, Inc.
Priority to US18/309,670 priority patent/US12041073B2/en
Assigned to FIRST-CITIZENS BANK & TRUST COMPANY reassignment FIRST-CITIZENS BANK & TRUST COMPANY SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SecurityScorecard, Inc.
Priority to US18/744,908 priority patent/US20240340304A1/en
Assigned to SecurityScorecard, Inc. reassignment SecurityScorecard, Inc. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: JPMORGAN CHASE BANK, N.A.
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0639Performance analysis of employees; Performance analysis of enterprise or organisation operations
    • G06Q10/06393Score-carding, benchmarking or key performance indicator [KPI] analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/065Generation of reports related to network devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5076Update or notification mechanisms, e.g. DynDNS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • This disclosure generally relates to corporate cybersecurity technology. More specifically, this disclosure relates to mapping Internet Protocol (IP) addresses to an entity to assist in benchmarking the entity's cybersecurity risk.
  • IP Internet Protocol
  • An entity such as an organization, corporation, or governmental entity, may have a number of IP addresses allocated to it through which computers may be used for internal and external communication.
  • employees at different locations may communicate with each other using different network service providers, such as Internet Service Providers (ISPs).
  • ISPs Internet Service Providers
  • Some entities may also be accessed using third-party hosting providers and virtualized cloud services, which often assign part of their own allocated IP addresses to the entity instead of one of the IP addresses already allocated to the entity. As a result, an entity may not know each of the different IP addresses through which employees and computers of the entity communicate.
  • a scorecard system may create a mapping of IP addresses that are associated with an entity to improve accuracy in the calculation of the entity's cybersecurity risk.
  • a method for mapping IP addresses to an entity may include receiving, by a processor, at least one domain name associated with the entity. The method may also include determining, by the processor, one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name. The method may further include identifying, by the processor, one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources.
  • the method may also include assigning, by the processor, a weight to each of the identified one or more IP addresses based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name.
  • the method may further include creating, by the processor, a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.
  • a computer program product includes a non-transitory computer-readable medium comprising instructions which, when executed by a processor of a computing system, cause the processor to perform the step of receiving at least one domain name associated with the entity.
  • the medium may also include instructions which cause the processor to perform the step of determining one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name.
  • the medium may further include instructions which cause the processor to perform the step of identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources.
  • the medium may also include instructions which cause the processor to perform the step of assigning a weight to each of the identified one or more IP addresses based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name.
  • the medium may further include instructions which cause the processor to perform the step of creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.
  • an apparatus includes a memory and a processor coupled to the memory.
  • the processor can be configured to execute the step of receiving at least one domain name associated with the entity.
  • the processor may also be configured to execute the step of determining one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name.
  • the processor can be configured to execute the step of identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources.
  • the processor may also be configured to execute the step of assigning a weight to each of the identified one or more IP addresses based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name.
  • the processor can be configured to execute the step of creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.
  • FIG. 1 is a block diagram of a network that includes a scorecard server, data sources, and an entity with a cybersecurity risk according to an embodiment
  • FIG. 2 is a block diagram of a system for calculating and benchmarking an entity's cybersecurity risk according to an embodiment
  • FIG. 2B is a block diagram of underlying components of a system for mapping IP addresses to an entity according to an embodiment
  • FIG. 3 is a flow chart of a method for mapping IP addresses to an entity according to an embodiment.
  • FIG. 4 is a flow diagram illustrating IP mapping with respect to one or more entities according to an embodiment.
  • IP addresses associated with an entity may be determined based solely from knowledge of a domain name of an entity. Knowledge of the IP addresses associated with an entity may be useful for a variety of applications. For example, as illustrated in FIGS. 1-2 , a mapping of the IP addresses associated with an entity may be used to determine a cybersecurity risk for an entity.
  • IP address is a numerical label assigned to a device, such as a computer or printer, participating in a computer network that uses the Internet Protocol for communication.
  • An IP address primarily serves two principal functions: (1) identification of a host or network interface, and (2) location addressing. IP addresses are typically binary numbers that are usually stored in text files and displayed in human-readable notations, such as 172.16.254.1 (for IPv4), and 2001:db8:0:1234:0:567:8:1 (for IPv6).
  • a module is “[a] self-contained hardware or software component that interacts with a larger system.” Alan Freedman, “The Computer Glossary” 268 (8th ed. 1998).
  • a module comprises a machine- or machines-executable instructions.
  • a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components.
  • a module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
  • Modules may also include software-defined units or instructions, that when executed by a processing machine or device, transform data stored on a data storage device from a first state to a second state.
  • An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions that may be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations that, when joined logically together, comprise the module, and when executed by the processor, achieve the stated data transformation.
  • a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and/or across several memory devices.
  • operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices.
  • FIG. 1 is a block diagram of network 100 that includes a scorecard server 110 , a communication network 120 , an entity server 130 , an entity 140 , data sources 150 , and user station 160 .
  • the scorecard server 110 includes one or more servers that, according to one embodiment, are configured to perform several of the functions described herein.
  • One or more of the servers comprising the scorecard server 110 include memory, storage hardware, software residing thereon, and one or more processors configured to perform functions associated with network 100 .
  • components comprising user station 160 such as CPU 162 , can be used to interface and/or implement scorecard server 110 .
  • One of skill in the art will readily recognize that different server and computer architectures can be utilized to implement scorecard server 110 and that scorecard server 110 is not limited to a particular architecture so long as the hardware implementing scorecard server 110 supports the functions of the scorecard system disclosed herein.
  • the communication network 120 facilitates communications of data between the scorecard server 110 and the data sources 150 .
  • the communication network 120 can also facilitate communications of data between the scorecard server 110 and other servers/processors, such as entity server 130 .
  • the communication network 120 includes any type of communications network, such as a direct PC-to-PC connection, a local area network (LAN), a wide area network (WAN), a modem-to-modem connection, the Internet, a combination of the above, or any other communications network now known or later developed within the networking arts which permits two or more computers to communicate.
  • the entity server 130 includes the servers which the entity 140 uses to support its operations and which the scorecard server 110 accesses to collect further information to calculate and benchmark an entity's cybersecurity risk.
  • the data sources 150 include the sources from which the scorecard server 110 collects information to calculate and benchmark an entity's cybersecurity risk.
  • the Entity 140 includes any organization, company, corporation, or group of individuals.
  • one entity may be a corporation with thousands of employees and headquarters in New York City, while another entity may be a group of one or more individuals associated with a website and having headquarters in a residential home.
  • Data Sources 150 includes any source of data accessible over Network 120 .
  • one source of data can include a website associated with a company, while another source of data may be an online database of various information.
  • the data sources 150 may be sources of any kind of data, such as domain name data, social media data, multimedia data, IP address data, and the like.
  • data sources 150 are not limited to a particular data source, and that any source from which data may retrieved may serve as a data source so long as it can be accessed by network 120 .
  • the central processing unit (“CPU”) 161 is coupled to the system bus 162 .
  • the CPU 161 can be a general purpose CPU or microprocessor performing the functions of the scorecard server 110 , a graphics processing unit (“GPU”), and/or microcontroller. Embodiments are not restricted by the architecture of the CPU 161 so long as the CPU 161 , whether directly or indirectly, supports the operations described herein.
  • the CPU 161 is one component may execute the various described logical instructions.
  • the user station 160 also comprises random access memory (RAM) 163 , which can be synchronous RAM (SRAM), dynamic RAM (DRAM), synchronous dynamic RAM (SDRAM), or the like.
  • RAM random access memory
  • the user station 160 may utilize RAM 163 to store the various data structures used by a software application.
  • the user station 160 also comprises read only memory (ROM) 164 which can be PROM, EPROM, EEPROM, optical storage, or the like.
  • ROM may store configuration information for booting the user station 160 .
  • the RAM 163 and the ROM 164 hold user and system data, and both the RAM 163 and the ROM 164 can be randomly accessed.
  • the user station 160 also comprises an input/output (I/O) adapter 165 , a communications adapter 166 , a user interface adapter 167 , and a display adapter 168 .
  • the I/O adapter 165 and/or the user interface adapter 167 may, in certain embodiments, enable a user to interact with the user station 160 .
  • the display adapter 168 may display a graphical user interface (GUI) associated with a software or web-based application on a display device 169 , such as a monitor or touch screen.
  • GUI graphical user interface
  • the I/O adapter 165 may couple one or more storage devices 170 , such as one or more of a hard drive, a solid state storage device, a flash drive, a compact disc (CD) drive, a floppy disk drive, and a tape drive, to the user station 160 .
  • the data storage 170 can be a separate server coupled to the user station 160 through a network connection to the I/O adapter 165 .
  • the communications adapter 166 can be adapted to couple the user station 160 to a network, which can be one or more of a LAN, WAN, and/or the Internet.
  • the user interface adapter 167 couples user input devices, such as a keyboard 171 , a pointing device 172 , and/or a touch screen (not shown) to the user station 160 .
  • the display adapter 168 can be driven by the CPU 161 to control the display on the display device 169 . Any of the devices 161 - 168 can be physical and/or logical.
  • the user station 160 is provided as an example of one type of computing device that can be adapted to perform the functions of a server and/or the user interface device 165 .
  • any suitable processor-based device can be utilized including, without limitation, personal data assistants (PDAs), tablet computers, smartphones, computer game consoles, and multi-processor servers.
  • PDAs personal data assistants
  • the systems and methods of the present disclosure can be implemented on application specific integrated circuits (ASIC), very large scale integrated (VLSI) circuits, or other circuitry.
  • ASIC application specific integrated circuits
  • VLSI very large scale integrated circuits
  • persons of ordinary skill in the art may utilize any number of suitable structures capable of executing logical operations according to the described embodiments.
  • user station 160 may reside at, or be installed in, different locations within network 100 .
  • user station 160 directly interfaces with scorecard server 110 .
  • scorecard server 110 Such an embodiment is conducive for an individual or user not directly associated with entity 140 to effectuate computation of a cybersecurity risk and/or benchmark of same for that entity.
  • one or more users located at entity 140 or locations directly associated with same may effectuate computation of a cybersecurity risk and/or benchmark of same for that entity.
  • user station 160 (or at least certain components thereof) may directly interface with entity servers 130 .
  • entity servers 130 may comprise the hardware and/or software found in scorecard server 110 in the illustrated embodiment.
  • the features necessary to compute cybersecurity risk scores and benchmarks can be collocated within network 100 or distributed across, e.g., scorecard server 110 and entity servers 130 , and user station(s) 160 .
  • FIG. 2 is a block diagram of a system for calculating and benchmarking an entity's cybersecurity risk according to an embodiment.
  • System 200 can be implemented with one or more computing devices, such as scorecard server 110 , entity servers 130 , and user station(s) 160 illustrated in FIG. 1 .
  • System 200 comprises a security signal collection module 210 , a contextualization and attribution module 220 , and a benchmarking module 230 .
  • Security signal collection module 210 collects one or more types of data that relate to the cybersecurity risks associated with an entity.
  • Security signal collection module 210 comprises submodules that collect different types of data from a predefined “threat sphere.”
  • the threat sphere may change depending on the entity for which a cybersecurity risk score is calculated, and may further change according to the goals and/or objectives of the entity.
  • the threat sphere is typically defined to include sources of information that likely comprise, generate, are responsible for, or otherwise correspond to data indicative of an entity's cybersecurity risk. Accordingly, each module or submodule that collects data corresponds to one more channels or data feeds from sources comprising the threat sphere.
  • security signal collection module 210 comprises a social engineering collection module 201 , a malware and botnet infection collection module 202 , an application vulnerabilities collection module 203 , a breach history collection module 204 , a network exploits collection module 205 , a DNS Health collection module 206 , a patching cadence collection module 207 , and a leaked credentials collection module 208 .
  • Security signal collection module 210 can also comprises a hacker forum monitoring module 209 for collecting data from hacker forums can also and an endpoint security analysis module 211 for collecting endpoint data.
  • Security signal collection module 210 can also comprises modules for specifying when data is collected and how data is associated with an entity.
  • the security signal collection module 210 comprises a continuous Internet scans module 212 for performing continuous scans of Internet data to collect data associated with an entity.
  • the security signal collection module 210 can also comprises a real-time scans collection module 213 for collecting data in real time, such as collecting real-time threat intelligence/data and collecting data in real time from a malicious IP feed, which can include digesting 2000+bad (IPS) per second.
  • the security signal collection module 210 can also comprises an IP Mapping module 214 to reliably identify IP addresses associated with an entity. By mapping IP addresses to an entity, data collected the Internet over one or more channels comprising the threat sphere (or beyond) can be determined to be associated with, or attributable to, the given entity.
  • Contextualization and attribution module 220 contextualizes data collected by the security signal collection module 210 .
  • the contextualization and attribution module 220 comprises an extraction module 222 to extract data relevant to cybersecurity of a given entity from the collected data.
  • the contextualization and attribution module 220 can also comprises a normalization module 224 and a weighting module 226 to normalize and/or weight a preliminary security score determined based on a raw scoring of the extracted security data.
  • the normalization and/or weighting of a preliminary score may depend on multiple factors, such as, for example, the size of the entity, the relationship between the extracted information and overall security performance, and the type of data collected.
  • the contextualization and attribution module 220 can also comprises a machine learning module 228 to identify and update which factors most significantly affect an entity's cybersecurity. This information can be used to further contextualize the collected data. For example, the security scores identified as being the most relevant may then be normalized and/or weighted to account for their relevancy.
  • the contextualization process can also comprises applying temporal adjustments to security data or calculated security scores based on the time span between an event that generated the security data and the current date.
  • contextualization can also comprises validating threats, such as, for example, by confirming that an event creating data that indicates the presence of a malware event is in fact a malware event. Further aspects of the contextualization submodules are described in detail below.
  • Benchmarking module 230 calculates an overall cybersecurity risk score for an entity, as well as a benchmark based on cybersecurity performance metrics.
  • the computed benchmark may further comprise a percentile ranking for the entity.
  • the benchmarking module 230 comprises a scoring module 232 to obtain the overall cybersecurity risk score for an entity based on the contextualization of the entity's security data and processing of scores for each of the different types of security data collected for the entity.
  • the benchmarking module 230 can also comprises a percentiles module 234 to determine a percentile ranking for the entity which provides an indication of how the entity's cybersecurity fairs with respect to similar companies in the same industry. Further aspects of the benchmarking submodules are described in detail below.
  • a scorecard server such as scorecard server 100 from FIG. 1 , may utilize one or more of the submodules in the security signal collection 210 , contextualization 220 , and benchmarking 230 modules to score and benchmark an entity's cybersecurity risk.
  • FIG. 2B is a block diagram of underlying components of a system for mapping IP addresses to an entity
  • FIG. 3 is a flow chart illustrating a method for mapping IP addresses to an entity using the underlying components of the system for mapping IP addresses to an entity.
  • embodiments of method 300 can be implemented with the systems described with respect to FIGS. 1-2 , in particular the underlying components illustrated in FIG. 2B .
  • a processor disclosed in method 300 may correspond to a processor within a scorecard server disclosed in this disclosure.
  • method 300 includes, at block 302 , receiving at least one domain name associated with the entity.
  • scorecard system 200 can implement reception module 219 A to receive a URL associated with an entity.
  • the URL may include the domain name for the entity.
  • the URL, and in particular the domain name may be input by a user accessing scorecard system 200 , for example, a user accessing scorecard system 200 via user station 160 illustrated in FIG. 1 .
  • method 300 includes determining one or more variations of the at least one domain name.
  • scorecard system 200 can implement domain name variations module 219 B to determine one or more variations of a received domain name.
  • determination of the variations of the domain name may be based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the domain name.
  • data sources 150 from which domain name data may be gathered include any sources of data which include information about the domain names used or mentioned in the data source. Examples, and not limitations, of data sources include databases, such as FreebaseTM and CrunchBase ⁇ , online services, such as LinkedIn ⁇ , and general informational websites, such as CNN.com.
  • scorecard system 200 may collect domain name data from multiple data sources across the Internet.
  • the scorecard system 200 may analyze the domain name data collected from the data sources to determine one or more variations of the domain name, such as “gs.com” and “goldmansachs.com.”
  • the domain name data may also include general mentions of an entity in a data source.
  • domain name variations may also include “Goldman Sachs, Inc.” and “The Goldman Sachs,” each of which may point to IP addresses.
  • the information collected from all the data sources may be correlated to determine the most accurate variations of the domain names associated with an entity.
  • a machine learning algorithm may be developed to correlate the domain name data collected from all the data sources to determine the most accurate variations of the domain names associated with the entity.
  • the scorecard system 200 may also suffix or append characters to an identified domain name to aid in the determination of the domain name variations.
  • method 300 includes identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name.
  • scorecard system 200 can implement IP address collection module 219 C to identify IP addresses pointed to by domain name data.
  • identification of the one or more IP addresses may be based on analysis of IP address data collected from a plurality of IP address data sources. Examples, and not limitations, of data sources from which IP addresses may be collected include IP registries, such as the American Registry for Internet Numbers (ARIN), the European IP Networks (RIPE), the Latin America and Caribbean Network Information Centre (LACNIC), the African Network Information Center (AFRINIC), and the Asi a - Pacific Network Information Centre (APNIC). Other data sources include third-party IP address databases.
  • ARIN American Registry for Internet Numbers
  • RIPE the European IP Networks
  • LACNIC Latin America and Caribbean Network Information Centre
  • AFRINIC African Network Information Center
  • APNIC Asi a - Pacific Network Information Centre
  • Other data sources include third-party IP address databases.
  • the scorecard system 200 may also analyze data in Domain Name System (DNS) records, Border Gateway Protocol (BGP) records, Secure Socket Layer (SSL) certificates, security scanners, such as Nmap, content delivery network (CDN) databases, and known security IP addresses, such as honeypots and sinkholes owned by security companies. From analysis of data collected from the data sources, the scorecard system can identify the IP addresses pointed to by the different variations of the entity's domain name.
  • DNS Domain Name System
  • SSL Secure Socket Layer
  • security scanners such as Nmap
  • CDN content delivery network
  • known security IP addresses such as honeypots and sinkholes owned by security companies.
  • method 300 includes assigning, by the processor, a weight to each of the identified one or more IP addresses.
  • scorecard system 200 can implement IP weighting module 219 D to weigh the identified IP addresses.
  • weighting may be based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name.
  • a good correlation may consist of an IP address that is pointed to by multiple variations of the domain name data.
  • weighting may include assigning a larger weight to an IP address of the identified one or more IP addresses that maps to multiple of the one or more variations of the at least one domain name than the weight assigned to an IP address of the identified one or more IP addresses that maps to only one of the one or more variations of the at least one domain name.
  • a mapping Ci may consist of a single mapping between an IP address and a domain name data variation. For multiple mappings, such as C 1 , C 2 , . . . , Cn, the number of times an IP address maps to a different variation of the domain name data may be tracked. Based on the number of times an IP address maps to a different variation of the domain name data for an entity, a weight between 0 and 1 can be assigned to the IP address. A higher weight may be assigned to IP addresses pointed to multiple times than IP addresses pointed to once.
  • Weighting with weighting module 219 D may also include weighting based on the reliability of the domain name variation determined for an entity. For example, if the scorecard system 200 had to perform truncation or appending to obtain the domain name variation or if the domain name variation is mentioned only once in only a single data source, then the scorecard system 200 may assign a lower weight to the IP address pointed to by the domain name variation. In other words, a good indication that an IP address is associated with an entity is that multiple variations for the entity's domain name point to the same IP address.
  • weighing with weighting module 219 D may also include weighting based on the specific type of entity network with which the collected IP addresses are associated. For example, an IP address associated with a guest network or WiFi network of the entity may be assigned a lower weight than an IP address associated with an intranet network of the entity.
  • the scorecard system 200 may also include a machine learning algorithm to perform the weighting disclosed herein.
  • the scorecard system 200 may utilize a machine learning algorithm to, in addition to implement the other weighting routines disclosed above, analyze anonymized fingerprints of browsers when analyzing IP addresses obtained from online advertisements or e-mails.
  • the machine learning algorithm is not limited to implementing only the weighting factors disclosed herein, and that many other factors may be incorporated into the machine learning algorithm so long as the machine learning algorithm utilizes the factors to weight the IP addresses association with domain name variations of an entity.
  • method 300 includes creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.
  • scorecard system 200 can implement IP mapping creation module 219 E to create the mapping.
  • the scorecard system 200 may create the IP mapping by selecting only the IP addresses that are most reliably associated with the entity for inclusion into the IP mapping.
  • the scorecard system 200 may set a minimum weight threshold for IP addresses to be included in the created IP mapping. IP addresses with weights higher than then minimum threshold, for example IP addresses pointed to by domain name variations mentioned in numerous databases in association with the company or specifically provided by an employee of the company, may be included in the created IP mapping.
  • IP addresses with weights below the minimum threshold may be excluded from inclusion in the created IP mapping.
  • the created mapping of IP addresses may be adjusted or maintained up-to-date by periodically executing the reception 219 A, domain name variations 219 B, IP address collection 219 C, weighting 219 D, and IP mapping creation 219 E modules as disclosed herein.
  • the IP mapping for an entity may be adjusted for a variety of reasons.
  • a representative of an entity may provide specific IP addresses for inclusion in the IP mapping for the entity or the representative of the entity may specify which IP addresses in the created IP mapping should not be included in the IP mapping.
  • the scorecard system 200 adjusts the created mapping of IP addresses based on user input.
  • the representative may input the IP addresses to include or exclude by accessing the scorecard system 200 via user station 160 .
  • the scorecard system may then modify the IP mapping based on the information provided by the entity representative.
  • the scorecard system 200 may also exclude from the IP mapping IP addresses associated with networks other than the entity network, such as a Wi-Fi, third-party hosting, guest, or security network.
  • the scorecard system 200 may associate IP addresses with the other networks based on user input provided on user station 160 .
  • the scorecard system may also associate IP addresses to the other networks based on the weighting performed by weighting module 219 D.
  • the machine learning algorithm utilized during weighting may have identified networks not associated with the entity and weighted the IP addresses associated with such networks lower than other IP addresses.
  • the machine learning algorithm may have detected IP addresses not having access to data internal to the entity and assigned lower weights to those IP addresses.
  • the scorecard system 200 may also determine the IP addresses to be excluded from the IP mapping during creation of an IP mapping without user input. For example, in one embodiment, IP addresses associated with security providers, such as CloudFlare and Akamai, may be excluded from the created IP mapping because they are associated with the security provider and not the entity. To identify IP addresses associated with security providers and IP addresses behind the security provider that are associated with an entity, the scorecard system 200 may utilize IP address collection module 219 C to collect IP address information from unusual data sources. For example, the scorecard system 200 may collect IP address information from alternative domain data sources which may not be configured properly. As another example, the scorecard system 200 may collect and analyze data transmission headers associated with the security providers. In yet another example, the scorecard system 200 may read IP addresses from TCP port 80 . In another embodiment, the scorecard system 200 may collect the IP address information directly from the security provider.
  • IP addresses associated with security providers such as CloudFlare and Akamai
  • the scorecard system 200 may utilize IP address collection module 219 C to collect IP address information from unusual data sources.
  • the scorecard system 200 may also determine IP addresses to be excluded from the created IP mapping by determining whether the collected IP addresses are associated with a WiFi or guest network provided by the entity.
  • the entity may provide the scorecard system 200 with the WiFi or guest networks provided by the entity.
  • the scorecard system may determine the networks during execution of the IP address collection module 219 C by collecting data for data sources that specify WiFi and guest networks available by the entity.
  • the scorecard system 200 may also perform an Nmap banner grab during IP address collection to identify whether the IP address is associated with a guest network of the entity.
  • the IP mapping created with IP mapping creation module 219 E may be associated with a subnetwork of an entity's network because some entities, such as network hosting entities, may have multiple networks.
  • the desired IP addresses to be associated with the entity may be only those IP addresses associated with the entity's network.
  • the desired IP addresses to be associated with the entity may be the IP addresses that are hosted for other entities.
  • the scorecard system 200 may create the different IP mappings based on a variety of factors. For example, the scorecard system 200 may be provided with information by the entity which specifies which collected IP addresses should be associated with the entity's network and which IP addresses should be associated with the entity's hosting network.
  • the scorecard system 200 may look at whether a collected IP address is associated with a hosted virtual machine to determine in which IP mapping the IP address should be placed.
  • the scorecard system 200 may use the machine learning algorithm utilized while executing weighting module 219 D to identify factors that may indicate that an IP address is associated with a hosted IP address as opposed to an IP address of the network. The machine learning algorithm may develop the factors and incorporate them into the algorithm to further weigh the IP addresses.
  • the schematic flow chart diagram of FIG. 3 is generally set forth as a logical flow chart diagram. As such, the depicted order and labeled steps are indicative of aspects of the disclosed method. Other steps and methods can be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types can be employed in the flow chart diagram, they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors can be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
  • FIG. 4 is a flow diagram illustrating IP mapping implemented by scorecard system 200 according to an embodiment of the disclosure. It is noted that embodiments of flow 400 can be implemented with the systems described with respect to FIGS. 1-2 , in particular the underlying components illustrated in FIG. 2B .
  • a processor disclosed in flow 400 may correspond to a processor within a scorecard server disclosed in this disclosure.
  • scorecard system 200 receives a new domain associated with an entity.
  • scorecard system 200 can implement reception module 219 A to receive a URL associated with an entity.
  • flow 400 includes queries 404 a - 404 c of data feeds to determine the different variations of the received domain name and to identify the IP addresses pointed to by the domain name data in the data feeds.
  • Data feeds may correspond to one or more data sources, such as one or more of data sources 150 illustrated in FIG. 1 .
  • scorecard system 200 can implement domain name variations module 219 B and/or IP address collection module 219 C.
  • scorecard system 200 may implement at least one of queries 404 a - 404 c by collecting data from one or more data sources and then implementing together the functions of domain name variations module 219 B and IP address collection module 219 C described above.
  • scorecard system 200 may implement at least one of queries 404 a - 404 c by implementing domain variations module 219 B before implementing IP collection module 219 C. In yet another embodiment, scorecard system 200 may implement at least one of queries 404 a - 404 c by implementing IP collection module 219 C before implementing domain name variations module 219 B.
  • scorecard system 200 may perform further analysis of the identified IP addresses to create an IP mapping for the entity. For example, in one embodiment, scorecard system 200 may implement weighting module 219 D to weigh the identified IP addresses and IP mapping creation module 219 E to create the IP mapping based at least on the weighting of the IP addresses. Based on the further analysis performed by implementing the functions of weighting module 219 D and IP mapping creation module 219 E, scorecard system 200 may create the IP mapping for an entity. For example, in one embodiment, the results of the further analysis may identify which IP addresses can be reliably included in the IP mapping for the entity and which IP addresses require additional analysis to determine whether the IP addresses should be included in the IP mapping for the entity or excluded from the IP mapping for the entity.
  • the scorecard system 200 may identify which IP addresses are most reliably associated with the entity based on a weight threshold. For example, in one embodiment, the scorecard system 200 may set a minimum weight threshold for IP addresses to be included in the created IP mapping. IP addresses with weights higher than the minimum threshold, for example IP addresses pointed to by domain name variations mentioned in numerous databases in association with the company or specifically provided by an employee of the company, may be indicated as reliably associated with the entity. In addition, IP addresses found in the majority of data feeds/sources may also be identified as reliably associated with the entity. In contrast, IP addresses with weights below the minimum threshold, for example IP addresses pointed to by unreliable domain name variations, may be indicated as not reliably associated with the entity. In addition, IP addresses not found in the majority of data feeds/sources may be indicated as not reliably associated with the entity.
  • IP addresses indicated as reliably associated with the entity may be grouped together, for example in bucket one 406 .
  • IP addresses in bucket one 406 may be automatically included in the entity's initial IP mapping 410 .
  • the IP addresses indicated as not initially being associated with the entity may be grouped together in a separate group, for example in bucket two 408 , to undergo further processing, as indicated in further processing block 412 in flow 400 .
  • further processing 412 performed on IP addresses grouped into bucket two 408 may include implementation of various aspects of IP address collection module 219 C, weighting module 219 D, and IP mapping creation module 219 E, as described in blocks 306 , 308 , and 310 of method 300 , respectively.
  • further processing 412 may include implementing IP collection module 219 C to collect IP specific information from IP specific data sources, such as ARIN, RIPE, LACNIC, AFRINIC, and APNIC.
  • further processing may include analyzing data in DNS records, such as performing reverse DNS automation, and analyzing data in BGP records, SSL certificates, security scanners, such as Nmap, CDN databases, and known security IP addresses, such as honeypots and sinkholes owned by security companies.
  • Scorecard system 200 may identify further IP addresses to include in the initial IP mapping 410 based on the further processing 412 performed on the IP addresses in bucket two 408 . For example, scorecard system 200 may identify IP addresses matching perfectly to an IP address associated with the entity as indicated by the IP addresses collected for the entity during the performance of further processing 412 . As an example, scorecard system 200 may group together the IP addresses matching perfectly into bucket three 414 and include the IP addresses in the initial IP mapping 410 .
  • IP addresses that were not identified during further processing 412 as matching perfectly to an IP address known to be associated with the entity based on the IP addresses collected using IP address collection module 219 C may undergo additional processing, such as at processing block 416 .
  • the processing performed on IP addresses at block 416 may include implementation of various aspects of IP address collection module 219 C, weighting module 219 D, and IP mapping creation module 219 E, as described in blocks 306 , 308 , and 310 of method 300 , respectively.
  • the processing at block 416 may include implementation of machine learning, such as the machine learning processing disclosed in the discussion regarding weighting module 219 D and block 308 .
  • the IP addresses placed in the initial mapping 410 may be verified as being associated with the entity through analysis of information provided for the entity on data sources, such as Freebase databases 418 and social media websites, for example LinkedIn 420 .
  • the initial IP mapping 410 may be identified as the final IP mapping created for an entity, such as the final IP mapping created for an entity at block 310 of FIG. 3 .
  • Computer-readable media includes physical computer storage media.
  • a storage medium can be any available medium that can be accessed by a computer.
  • such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer.
  • Disk and disc includes compact discs (CD), laser discs, optical discs, digital versatile discs (DVD), floppy disks and blu-ray discs. Generally, disks reproduce data magnetically, and discs reproduce data optically. Combinations of the above should also be included within the scope of computer-readable media.
  • instructions and/or data can be provided as signals on transmission media included in a communication apparatus.
  • a communication apparatus includes a transceiver having signals indicative of instructions and data.
  • the instructions and data can be configured to cause one or more processors to implement the functions outlined in the claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Human Resources & Organizations (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Strategic Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Educational Administration (AREA)
  • Operations Research (AREA)
  • Game Theory and Decision Science (AREA)
  • General Business, Economics & Management (AREA)
  • Tourism & Hospitality (AREA)
  • Quality & Reliability (AREA)
  • Marketing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Systems and methods for mapping IP addresses to an entity include receiving at least one domain name associated with the entity. Embodiments may further include determining one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name. Some embodiments may also include identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources. Additional embodiments include assigning weights to each of the identified one or more IP addresses and creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims priority to U.S. Provisional Patent Application No. 62/091,477 entitled “CORPORATE IP ADDRESS DISCOVERY THROUGH SUBSIDIARY AND INTERNAL SYSTEM MAPPING SYSTEM AND METHOD,” filed on Dec. 13, 2014, and also claims priority to U.S. Provisional Patent Application No. 62/091,478 entitled “CORPORATE CYBER SECURITY BENCHMARKING AS A SERVICE SYSTEM AND METHOD,” filed on Dec. 13, 2014. The entire contents of both are incorporated herein by reference.
    • FIELD OF THE DISCLOSURE
  • This disclosure generally relates to corporate cybersecurity technology. More specifically, this disclosure relates to mapping Internet Protocol (IP) addresses to an entity to assist in benchmarking the entity's cybersecurity risk.
    • BACKGROUND
  • An entity, such as an organization, corporation, or governmental entity, may have a number of IP addresses allocated to it through which computers may be used for internal and external communication. For some entities, employees at different locations may communicate with each other using different network service providers, such as Internet Service Providers (ISPs). Some entities may also be accessed using third-party hosting providers and virtualized cloud services, which often assign part of their own allocated IP addresses to the entity instead of one of the IP addresses already allocated to the entity. As a result, an entity may not know each of the different IP addresses through which employees and computers of the entity communicate.
    • SUMMARY
  • A scorecard system may create a mapping of IP addresses that are associated with an entity to improve accuracy in the calculation of the entity's cybersecurity risk. For example, according to one embodiment, a method for mapping IP addresses to an entity may include receiving, by a processor, at least one domain name associated with the entity. The method may also include determining, by the processor, one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name. The method may further include identifying, by the processor, one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources. The method may also include assigning, by the processor, a weight to each of the identified one or more IP addresses based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name. The method may further include creating, by the processor, a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.
  • According to another embodiment, a computer program product includes a non-transitory computer-readable medium comprising instructions which, when executed by a processor of a computing system, cause the processor to perform the step of receiving at least one domain name associated with the entity. The medium may also include instructions which cause the processor to perform the step of determining one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name. The medium may further include instructions which cause the processor to perform the step of identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources. The medium may also include instructions which cause the processor to perform the step of assigning a weight to each of the identified one or more IP addresses based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name. The medium may further include instructions which cause the processor to perform the step of creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.
  • According to yet another embodiment, an apparatus includes a memory and a processor coupled to the memory. The processor can be configured to execute the step of receiving at least one domain name associated with the entity. The processor may also be configured to execute the step of determining one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name. The processor can be configured to execute the step of identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources. The processor may also be configured to execute the step of assigning a weight to each of the identified one or more IP addresses based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name. The processor can be configured to execute the step of creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.
  • The foregoing has outlined rather broadly the features and technical advantages of the present invention in order that the detailed description of the invention that follows can be better understood. Additional features and advantages of the invention will be described hereinafter that form the subject of the claims of the invention. It should be appreciated by those skilled in the art that the concepts and specific embodiments disclosed can be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the present invention. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the spirit and scope of the invention as set forth in the appended claims. The novel features that are believed to be characteristic of the invention, both as to its organization and method of operation, together with further objects and advantages will be better understood from the following description when considered in connection with the accompanying figures. It is to be expressly understood, however, that each of the figures is provided for the purpose of illustration and description only and is not intended as a definition of the limits of the present invention.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • For a more complete understanding of the disclosure, reference is made to the following FIGURES taken in conjunction with their accompanying descriptions:
  • FIG. 1 is a block diagram of a network that includes a scorecard server, data sources, and an entity with a cybersecurity risk according to an embodiment;
  • FIG. 2 is a block diagram of a system for calculating and benchmarking an entity's cybersecurity risk according to an embodiment;
  • FIG. 2B is a block diagram of underlying components of a system for mapping IP addresses to an entity according to an embodiment; and
  • FIG. 3 is a flow chart of a method for mapping IP addresses to an entity according to an embodiment.
  • FIG. 4 is a flow diagram illustrating IP mapping with respect to one or more entities according to an embodiment.
    •  DETAILED DESCRIPTION
  • The IP addresses associated with an entity, including IP addresses associated with subsidiary and/or internal systems of the entity, may be determined based solely from knowledge of a domain name of an entity. Knowledge of the IP addresses associated with an entity may be useful for a variety of applications. For example, as illustrated in FIGS. 1-2, a mapping of the IP addresses associated with an entity may be used to determine a cybersecurity risk for an entity.
  • An IP address, as used herein, is a numerical label assigned to a device, such as a computer or printer, participating in a computer network that uses the Internet Protocol for communication. An IP address primarily serves two principal functions: (1) identification of a host or network interface, and (2) location addressing. IP addresses are typically binary numbers that are usually stored in text files and displayed in human-readable notations, such as 172.16.254.1 (for IPv4), and 2001:db8:0:1234:0:567:8:1 (for IPv6).
  • Certain units described in this specification have been labeled as modules in order to more particularly emphasize their implementation independence. A module is “[a] self-contained hardware or software component that interacts with a larger system.” Alan Freedman, “The Computer Glossary” 268 (8th ed. 1998). A module comprises a machine- or machines-executable instructions. For example, a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
  • Modules may also include software-defined units or instructions, that when executed by a processing machine or device, transform data stored on a data storage device from a first state to a second state. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions that may be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations that, when joined logically together, comprise the module, and when executed by the processor, achieve the stated data transformation. A module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and/or across several memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices.
  • In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of the present embodiments. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
  • FIG. 1 is a block diagram of network 100 that includes a scorecard server 110, a communication network 120, an entity server 130, an entity 140, data sources 150, and user station 160. The scorecard server 110 includes one or more servers that, according to one embodiment, are configured to perform several of the functions described herein. One or more of the servers comprising the scorecard server 110 include memory, storage hardware, software residing thereon, and one or more processors configured to perform functions associated with network 100. For example, components comprising user station 160, such as CPU 162, can be used to interface and/or implement scorecard server 110. One of skill in the art will readily recognize that different server and computer architectures can be utilized to implement scorecard server 110 and that scorecard server 110 is not limited to a particular architecture so long as the hardware implementing scorecard server 110 supports the functions of the scorecard system disclosed herein.
  • The communication network 120 facilitates communications of data between the scorecard server 110 and the data sources 150. The communication network 120 can also facilitate communications of data between the scorecard server 110 and other servers/processors, such as entity server 130. The communication network 120 includes any type of communications network, such as a direct PC-to-PC connection, a local area network (LAN), a wide area network (WAN), a modem-to-modem connection, the Internet, a combination of the above, or any other communications network now known or later developed within the networking arts which permits two or more computers to communicate.
  • The entity server 130 includes the servers which the entity 140 uses to support its operations and which the scorecard server 110 accesses to collect further information to calculate and benchmark an entity's cybersecurity risk. The data sources 150 include the sources from which the scorecard server 110 collects information to calculate and benchmark an entity's cybersecurity risk.
  • The Entity 140 includes any organization, company, corporation, or group of individuals. For example, and not limitation, one entity may be a corporation with thousands of employees and headquarters in New York City, while another entity may be a group of one or more individuals associated with a website and having headquarters in a residential home.
  • Data Sources 150 includes any source of data accessible over Network 120. For example, and not limitation, one source of data can include a website associated with a company, while another source of data may be an online database of various information. In general, the data sources 150 may be sources of any kind of data, such as domain name data, social media data, multimedia data, IP address data, and the like. One of skill in the art would readily recognize that data sources 150 are not limited to a particular data source, and that any source from which data may retrieved may serve as a data source so long as it can be accessed by network 120.
  • With respect to user station 160, the central processing unit (“CPU”) 161 is coupled to the system bus 162. The CPU 161 can be a general purpose CPU or microprocessor performing the functions of the scorecard server 110, a graphics processing unit (“GPU”), and/or microcontroller. Embodiments are not restricted by the architecture of the CPU 161 so long as the CPU 161, whether directly or indirectly, supports the operations described herein. The CPU 161 is one component may execute the various described logical instructions.
  • The user station 160 also comprises random access memory (RAM) 163, which can be synchronous RAM (SRAM), dynamic RAM (DRAM), synchronous dynamic RAM (SDRAM), or the like. The user station 160 may utilize RAM 163 to store the various data structures used by a software application. The user station 160 also comprises read only memory (ROM) 164 which can be PROM, EPROM, EEPROM, optical storage, or the like. The ROM may store configuration information for booting the user station 160. The RAM 163 and the ROM 164 hold user and system data, and both the RAM 163 and the ROM 164 can be randomly accessed.
  • The user station 160 also comprises an input/output (I/O) adapter 165, a communications adapter 166, a user interface adapter 167, and a display adapter 168. The I/O adapter 165 and/or the user interface adapter 167 may, in certain embodiments, enable a user to interact with the user station 160. In a further embodiment, the display adapter 168 may display a graphical user interface (GUI) associated with a software or web-based application on a display device 169, such as a monitor or touch screen.
  • The I/O adapter 165 may couple one or more storage devices 170, such as one or more of a hard drive, a solid state storage device, a flash drive, a compact disc (CD) drive, a floppy disk drive, and a tape drive, to the user station 160. Also, the data storage 170 can be a separate server coupled to the user station 160 through a network connection to the I/O adapter 165. The communications adapter 166 can be adapted to couple the user station 160 to a network, which can be one or more of a LAN, WAN, and/or the Internet. The user interface adapter 167 couples user input devices, such as a keyboard 171, a pointing device 172, and/or a touch screen (not shown) to the user station 160. The display adapter 168 can be driven by the CPU 161 to control the display on the display device 169. Any of the devices 161-168 can be physical and/or logical.
  • The concepts described herein are not limited to the architecture of user station 160. Rather, the user station 160 is provided as an example of one type of computing device that can be adapted to perform the functions of a server and/or the user interface device 165. For example, any suitable processor-based device can be utilized including, without limitation, personal data assistants (PDAs), tablet computers, smartphones, computer game consoles, and multi-processor servers. Moreover, the systems and methods of the present disclosure can be implemented on application specific integrated circuits (ASIC), very large scale integrated (VLSI) circuits, or other circuitry. In fact, persons of ordinary skill in the art may utilize any number of suitable structures capable of executing logical operations according to the described embodiments.
  • It should be appreciated that user station 160, or certain components thereof, may reside at, or be installed in, different locations within network 100. According to the illustrated embodiment, user station 160 directly interfaces with scorecard server 110. Such an embodiment is conducive for an individual or user not directly associated with entity 140 to effectuate computation of a cybersecurity risk and/or benchmark of same for that entity. However, in other embodiments, one or more users located at entity 140 or locations directly associated with same, may effectuate computation of a cybersecurity risk and/or benchmark of same for that entity. In such an embodiment, user station 160 (or at least certain components thereof) may directly interface with entity servers 130. Likewise, entity servers 130 may comprise the hardware and/or software found in scorecard server 110 in the illustrated embodiment. Importantly, the features necessary to compute cybersecurity risk scores and benchmarks can be collocated within network 100 or distributed across, e.g., scorecard server 110 and entity servers 130, and user station(s) 160.
  • FIG. 2 is a block diagram of a system for calculating and benchmarking an entity's cybersecurity risk according to an embodiment. Such a system is described in detail in co-owned, currently-pending patent entitled “CALCULATING AND BENCHMARKING AN ENTITY'S CYBERSECURITY RISK SCORE,” [attorney docket number SCOR.P0001US] the disclosure of which is incorporated herein by reference in its entirety. System 200 can be implemented with one or more computing devices, such as scorecard server 110, entity servers 130, and user station(s) 160 illustrated in FIG. 1. System 200 comprises a security signal collection module 210, a contextualization and attribution module 220, and a benchmarking module 230.
  • Security signal collection module 210 collects one or more types of data that relate to the cybersecurity risks associated with an entity. Security signal collection module 210 comprises submodules that collect different types of data from a predefined “threat sphere.” The threat sphere may change depending on the entity for which a cybersecurity risk score is calculated, and may further change according to the goals and/or objectives of the entity. In any event, the threat sphere is typically defined to include sources of information that likely comprise, generate, are responsible for, or otherwise correspond to data indicative of an entity's cybersecurity risk. Accordingly, each module or submodule that collects data corresponds to one more channels or data feeds from sources comprising the threat sphere.
  • According to the illustrated embodiment, security signal collection module 210 comprises a social engineering collection module 201, a malware and botnet infection collection module 202, an application vulnerabilities collection module 203, a breach history collection module 204, a network exploits collection module 205, a DNS Health collection module 206, a patching cadence collection module 207, and a leaked credentials collection module 208.
  • Security signal collection module 210 can also comprises a hacker forum monitoring module 209 for collecting data from hacker forums can also and an endpoint security analysis module 211 for collecting endpoint data.
  • Security signal collection module 210 can also comprises modules for specifying when data is collected and how data is associated with an entity. For example, the security signal collection module 210 comprises a continuous Internet scans module 212 for performing continuous scans of Internet data to collect data associated with an entity. The security signal collection module 210 can also comprises a real-time scans collection module 213 for collecting data in real time, such as collecting real-time threat intelligence/data and collecting data in real time from a malicious IP feed, which can include digesting 2000+bad (IPS) per second. The security signal collection module 210 can also comprises an IP Mapping module 214 to reliably identify IP addresses associated with an entity. By mapping IP addresses to an entity, data collected the Internet over one or more channels comprising the threat sphere (or beyond) can be determined to be associated with, or attributable to, the given entity.
  • Contextualization and attribution module 220 contextualizes data collected by the security signal collection module 210. The contextualization and attribution module 220 comprises an extraction module 222 to extract data relevant to cybersecurity of a given entity from the collected data. The contextualization and attribution module 220 can also comprises a normalization module 224 and a weighting module 226 to normalize and/or weight a preliminary security score determined based on a raw scoring of the extracted security data. The normalization and/or weighting of a preliminary score may depend on multiple factors, such as, for example, the size of the entity, the relationship between the extracted information and overall security performance, and the type of data collected.
  • The contextualization and attribution module 220 can also comprises a machine learning module 228 to identify and update which factors most significantly affect an entity's cybersecurity. This information can be used to further contextualize the collected data. For example, the security scores identified as being the most relevant may then be normalized and/or weighted to account for their relevancy. The contextualization process can also comprises applying temporal adjustments to security data or calculated security scores based on the time span between an event that generated the security data and the current date. In some embodiments, contextualization can also comprises validating threats, such as, for example, by confirming that an event creating data that indicates the presence of a malware event is in fact a malware event. Further aspects of the contextualization submodules are described in detail below.
  • Benchmarking module 230 calculates an overall cybersecurity risk score for an entity, as well as a benchmark based on cybersecurity performance metrics. The computed benchmark may further comprise a percentile ranking for the entity. For example, the benchmarking module 230 comprises a scoring module 232 to obtain the overall cybersecurity risk score for an entity based on the contextualization of the entity's security data and processing of scores for each of the different types of security data collected for the entity.
  • The benchmarking module 230 can also comprises a percentiles module 234 to determine a percentile ranking for the entity which provides an indication of how the entity's cybersecurity fairs with respect to similar companies in the same industry. Further aspects of the benchmarking submodules are described in detail below. A scorecard server, such as scorecard server 100 from FIG. 1, may utilize one or more of the submodules in the security signal collection 210, contextualization 220, and benchmarking 230 modules to score and benchmark an entity's cybersecurity risk.
  • As is apparent from FIG. 1 and FIG. 2, a mapping of the IP addresses associated with an entity may be useful to improve the accuracy with which a scorecard system calculates a cybersecurity score for an entity. FIG. 2B is a block diagram of underlying components of a system for mapping IP addresses to an entity, and FIG. 3 is a flow chart illustrating a method for mapping IP addresses to an entity using the underlying components of the system for mapping IP addresses to an entity. It is noted that embodiments of method 300 can be implemented with the systems described with respect to FIGS. 1-2, in particular the underlying components illustrated in FIG. 2B. For example, a processor disclosed in method 300 may correspond to a processor within a scorecard server disclosed in this disclosure. Specifically, method 300 includes, at block 302, receiving at least one domain name associated with the entity. For example, scorecard system 200 can implement reception module 219A to receive a URL associated with an entity. The URL may include the domain name for the entity. The URL, and in particular the domain name, may be input by a user accessing scorecard system 200, for example, a user accessing scorecard system 200 via user station 160 illustrated in FIG. 1.
  • At block 304, method 300 includes determining one or more variations of the at least one domain name. For example, scorecard system 200 can implement domain name variations module 219B to determine one or more variations of a received domain name. In some embodiments, determination of the variations of the domain name may be based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the domain name. As noted with respect to FIG. 1, data sources 150 from which domain name data may be gathered include any sources of data which include information about the domain names used or mentioned in the data source. Examples, and not limitations, of data sources include databases, such as Freebase™ and CrunchBase©, online services, such as LinkedIn©, and general informational websites, such as CNN.com. For example, given a domain “gs.com,” scorecard system 200 may collect domain name data from multiple data sources across the Internet. The scorecard system 200 may analyze the domain name data collected from the data sources to determine one or more variations of the domain name, such as “gs.com” and “goldmansachs.com.” In general, the domain name data may also include general mentions of an entity in a data source. For example, given a domain “gs.com,” domain name variations may also include “Goldman Sachs, Inc.” and “The Goldman Sachs,” each of which may point to IP addresses. The information collected from all the data sources may be correlated to determine the most accurate variations of the domain names associated with an entity. For example, a machine learning algorithm may be developed to correlate the domain name data collected from all the data sources to determine the most accurate variations of the domain names associated with the entity. In some embodiments, the scorecard system 200 may also suffix or append characters to an identified domain name to aid in the determination of the domain name variations.
  • At block 306, method 300 includes identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name. For example, scorecard system 200 can implement IP address collection module 219C to identify IP addresses pointed to by domain name data. In some embodiments, identification of the one or more IP addresses may be based on analysis of IP address data collected from a plurality of IP address data sources. Examples, and not limitations, of data sources from which IP addresses may be collected include IP registries, such as the American Registry for Internet Numbers (ARIN), the European IP Networks (RIPE), the Latin America and Caribbean Network Information Centre (LACNIC), the African Network Information Center (AFRINIC), and the Asia-Pacific Network Information Centre (APNIC). Other data sources include third-party IP address databases. In some embodiments, the scorecard system 200 may also analyze data in Domain Name System (DNS) records, Border Gateway Protocol (BGP) records, Secure Socket Layer (SSL) certificates, security scanners, such as Nmap, content delivery network (CDN) databases, and known security IP addresses, such as honeypots and sinkholes owned by security companies. From analysis of data collected from the data sources, the scorecard system can identify the IP addresses pointed to by the different variations of the entity's domain name.
  • At block 308, method 300 includes assigning, by the processor, a weight to each of the identified one or more IP addresses. For example, scorecard system 200 can implement IP weighting module 219D to weigh the identified IP addresses. In some embodiments, weighting may be based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name. In one embodiment, a good correlation may consist of an IP address that is pointed to by multiple variations of the domain name data. In other words, weighting may include assigning a larger weight to an IP address of the identified one or more IP addresses that maps to multiple of the one or more variations of the at least one domain name than the weight assigned to an IP address of the identified one or more IP addresses that maps to only one of the one or more variations of the at least one domain name. For example, in one embodiment, a mapping Ci may consist of a single mapping between an IP address and a domain name data variation. For multiple mappings, such as C1, C2, . . . , Cn, the number of times an IP address maps to a different variation of the domain name data may be tracked. Based on the number of times an IP address maps to a different variation of the domain name data for an entity, a weight between 0 and 1 can be assigned to the IP address. A higher weight may be assigned to IP addresses pointed to multiple times than IP addresses pointed to once.
  • Weighting with weighting module 219D may also include weighting based on the reliability of the domain name variation determined for an entity. For example, if the scorecard system 200 had to perform truncation or appending to obtain the domain name variation or if the domain name variation is mentioned only once in only a single data source, then the scorecard system 200 may assign a lower weight to the IP address pointed to by the domain name variation. In other words, a good indication that an IP address is associated with an entity is that multiple variations for the entity's domain name point to the same IP address. In contrast, if the domain name pointing to an IP address is mentioned in numerous databases in association with the company or if the domain name variation is one specifically provided by an employee of the company, then the scorecard system 200 may assign a larger weight to the IP address. In another embodiment, weighing with weighting module 219D may also include weighting based on the specific type of entity network with which the collected IP addresses are associated. For example, an IP address associated with a guest network or WiFi network of the entity may be assigned a lower weight than an IP address associated with an intranet network of the entity.
  • The scorecard system 200 may also include a machine learning algorithm to perform the weighting disclosed herein. For example, the scorecard system 200 may utilize a machine learning algorithm to, in addition to implement the other weighting routines disclosed above, analyze anonymized fingerprints of browsers when analyzing IP addresses obtained from online advertisements or e-mails. One of skill in the art would readily recognize that the machine learning algorithm is not limited to implementing only the weighting factors disclosed herein, and that many other factors may be incorporated into the machine learning algorithm so long as the machine learning algorithm utilizes the factors to weight the IP addresses association with domain name variations of an entity.
  • At block 310, method 300 includes creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses. For example, scorecard system 200 can implement IP mapping creation module 219E to create the mapping. In particular, the scorecard system 200 may create the IP mapping by selecting only the IP addresses that are most reliably associated with the entity for inclusion into the IP mapping. For example, in one embodiment, the scorecard system 200 may set a minimum weight threshold for IP addresses to be included in the created IP mapping. IP addresses with weights higher than then minimum threshold, for example IP addresses pointed to by domain name variations mentioned in numerous databases in association with the company or specifically provided by an employee of the company, may be included in the created IP mapping. IP addresses with weights below the minimum threshold, for example IP addresses pointed to by unreliable domain name variations, may be excluded from inclusion in the created IP mapping. In some embodiments, the created mapping of IP addresses may be adjusted or maintained up-to-date by periodically executing the reception 219A, domain name variations 219B, IP address collection 219C, weighting 219D, and IP mapping creation 219E modules as disclosed herein.
  • The IP mapping for an entity, such as the IP mapping created at block 310 using IP mapping creation module 219E, may be adjusted for a variety of reasons. For example, in one embodiment, a representative of an entity may provide specific IP addresses for inclusion in the IP mapping for the entity or the representative of the entity may specify which IP addresses in the created IP mapping should not be included in the IP mapping. In other words, the scorecard system 200 adjusts the created mapping of IP addresses based on user input. In some embodiments, the representative may input the IP addresses to include or exclude by accessing the scorecard system 200 via user station 160. The scorecard system may then modify the IP mapping based on the information provided by the entity representative. In some embodiments, the scorecard system 200 may also exclude from the IP mapping IP addresses associated with networks other than the entity network, such as a Wi-Fi, third-party hosting, guest, or security network. The scorecard system 200 may associate IP addresses with the other networks based on user input provided on user station 160. The scorecard system may also associate IP addresses to the other networks based on the weighting performed by weighting module 219D. For example, the machine learning algorithm utilized during weighting may have identified networks not associated with the entity and weighted the IP addresses associated with such networks lower than other IP addresses. As another example, the machine learning algorithm may have detected IP addresses not having access to data internal to the entity and assigned lower weights to those IP addresses.
  • The scorecard system 200 may also determine the IP addresses to be excluded from the IP mapping during creation of an IP mapping without user input. For example, in one embodiment, IP addresses associated with security providers, such as CloudFlare and Akamai, may be excluded from the created IP mapping because they are associated with the security provider and not the entity. To identify IP addresses associated with security providers and IP addresses behind the security provider that are associated with an entity, the scorecard system 200 may utilize IP address collection module 219C to collect IP address information from unusual data sources. For example, the scorecard system 200 may collect IP address information from alternative domain data sources which may not be configured properly. As another example, the scorecard system 200 may collect and analyze data transmission headers associated with the security providers. In yet another example, the scorecard system 200 may read IP addresses from TCP port 80. In another embodiment, the scorecard system 200 may collect the IP address information directly from the security provider.
  • The scorecard system 200 may also determine IP addresses to be excluded from the created IP mapping by determining whether the collected IP addresses are associated with a WiFi or guest network provided by the entity. In some embodiments, the entity may provide the scorecard system 200 with the WiFi or guest networks provided by the entity. In other embodiments, the scorecard system may determine the networks during execution of the IP address collection module 219C by collecting data for data sources that specify WiFi and guest networks available by the entity. The scorecard system 200 may also perform an Nmap banner grab during IP address collection to identify whether the IP address is associated with a guest network of the entity.
  • The IP mapping created with IP mapping creation module 219E may be associated with a subnetwork of an entity's network because some entities, such as network hosting entities, may have multiple networks. In one embodiment, the desired IP addresses to be associated with the entity may be only those IP addresses associated with the entity's network. In another embodiment, the desired IP addresses to be associated with the entity may be the IP addresses that are hosted for other entities. The scorecard system 200 may create the different IP mappings based on a variety of factors. For example, the scorecard system 200 may be provided with information by the entity which specifies which collected IP addresses should be associated with the entity's network and which IP addresses should be associated with the entity's hosting network. In another embodiment, the scorecard system 200 may look at whether a collected IP address is associated with a hosted virtual machine to determine in which IP mapping the IP address should be placed. In other embodiments, the scorecard system 200 may use the machine learning algorithm utilized while executing weighting module 219D to identify factors that may indicate that an IP address is associated with a hosted IP address as opposed to an IP address of the network. The machine learning algorithm may develop the factors and incorporate them into the algorithm to further weigh the IP addresses.
  • The schematic flow chart diagram of FIG. 3 is generally set forth as a logical flow chart diagram. As such, the depicted order and labeled steps are indicative of aspects of the disclosed method. Other steps and methods can be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types can be employed in the flow chart diagram, they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors can be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
  • FIG. 4 is a flow diagram illustrating IP mapping implemented by scorecard system 200 according to an embodiment of the disclosure. It is noted that embodiments of flow 400 can be implemented with the systems described with respect to FIGS. 1-2, in particular the underlying components illustrated in FIG. 2B. For example, a processor disclosed in flow 400 may correspond to a processor within a scorecard server disclosed in this disclosure. Referring to flow 400, at block 402, scorecard system 200 receives a new domain associated with an entity. For example, scorecard system 200 can implement reception module 219A to receive a URL associated with an entity.
  • At blocks 404 a-404 c, flow 400 includes queries 404 a-404 c of data feeds to determine the different variations of the received domain name and to identify the IP addresses pointed to by the domain name data in the data feeds. Data feeds may correspond to one or more data sources, such as one or more of data sources 150 illustrated in FIG. 1. In some embodiments, to implement queries 404 a-404 c, scorecard system 200 can implement domain name variations module 219B and/or IP address collection module 219C. In some embodiments, scorecard system 200 may implement at least one of queries 404 a-404 c by collecting data from one or more data sources and then implementing together the functions of domain name variations module 219B and IP address collection module 219C described above. In another embodiment, scorecard system 200 may implement at least one of queries 404 a-404 c by implementing domain variations module 219B before implementing IP collection module 219C. In yet another embodiment, scorecard system 200 may implement at least one of queries 404 a-404 c by implementing IP collection module 219C before implementing domain name variations module 219B.
  • After performing queries 404 a-404 c, scorecard system 200 may perform further analysis of the identified IP addresses to create an IP mapping for the entity. For example, in one embodiment, scorecard system 200 may implement weighting module 219D to weigh the identified IP addresses and IP mapping creation module 219E to create the IP mapping based at least on the weighting of the IP addresses. Based on the further analysis performed by implementing the functions of weighting module 219D and IP mapping creation module 219E, scorecard system 200 may create the IP mapping for an entity. For example, in one embodiment, the results of the further analysis may identify which IP addresses can be reliably included in the IP mapping for the entity and which IP addresses require additional analysis to determine whether the IP addresses should be included in the IP mapping for the entity or excluded from the IP mapping for the entity.
  • As noted with respect to FIG. 3, the scorecard system 200 may identify which IP addresses are most reliably associated with the entity based on a weight threshold. For example, in one embodiment, the scorecard system 200 may set a minimum weight threshold for IP addresses to be included in the created IP mapping. IP addresses with weights higher than the minimum threshold, for example IP addresses pointed to by domain name variations mentioned in numerous databases in association with the company or specifically provided by an employee of the company, may be indicated as reliably associated with the entity. In addition, IP addresses found in the majority of data feeds/sources may also be identified as reliably associated with the entity. In contrast, IP addresses with weights below the minimum threshold, for example IP addresses pointed to by unreliable domain name variations, may be indicated as not reliably associated with the entity. In addition, IP addresses not found in the majority of data feeds/sources may be indicated as not reliably associated with the entity.
  • As indicated in flow 400, IP addresses indicated as reliably associated with the entity may be grouped together, for example in bucket one 406. IP addresses in bucket one 406 may be automatically included in the entity's initial IP mapping 410. In contrast, the IP addresses indicated as not initially being associated with the entity may be grouped together in a separate group, for example in bucket two 408, to undergo further processing, as indicated in further processing block 412 in flow 400.
  • In some embodiments, further processing 412 performed on IP addresses grouped into bucket two 408 may include implementation of various aspects of IP address collection module 219C, weighting module 219D, and IP mapping creation module 219E, as described in blocks 306, 308, and 310 of method 300, respectively. For example, further processing 412 may include implementing IP collection module 219C to collect IP specific information from IP specific data sources, such as ARIN, RIPE, LACNIC, AFRINIC, and APNIC. In addition, further processing may include analyzing data in DNS records, such as performing reverse DNS automation, and analyzing data in BGP records, SSL certificates, security scanners, such as Nmap, CDN databases, and known security IP addresses, such as honeypots and sinkholes owned by security companies.
  • Scorecard system 200 may identify further IP addresses to include in the initial IP mapping 410 based on the further processing 412 performed on the IP addresses in bucket two 408. For example, scorecard system 200 may identify IP addresses matching perfectly to an IP address associated with the entity as indicated by the IP addresses collected for the entity during the performance of further processing 412. As an example, scorecard system 200 may group together the IP addresses matching perfectly into bucket three 414 and include the IP addresses in the initial IP mapping 410.
  • In other embodiments, those IP addresses that were not identified during further processing 412 as matching perfectly to an IP address known to be associated with the entity based on the IP addresses collected using IP address collection module 219C may undergo additional processing, such as at processing block 416. The processing performed on IP addresses at block 416 may include implementation of various aspects of IP address collection module 219C, weighting module 219D, and IP mapping creation module 219E, as described in blocks 306, 308, and 310 of method 300, respectively. For example, the processing at block 416 may include implementation of machine learning, such as the machine learning processing disclosed in the discussion regarding weighting module 219D and block 308.
  • In some embodiments, the IP addresses placed in the initial mapping 410 may be verified as being associated with the entity through analysis of information provided for the entity on data sources, such as Freebase databases 418 and social media websites, for example LinkedIn 420. In some embodiments, the initial IP mapping 410, either before or after the optional aforementioned verification processing, may be identified as the final IP mapping created for an entity, such as the final IP mapping created for an entity at block 310 of FIG. 3.
  • If implemented in firmware and/or software, the functions described above can be stored as one or more instructions or code on a computer-readable medium. Examples include non-transitory computer-readable media encoded with a data structure and computer-readable media encoded with a computer program. Computer-readable media includes physical computer storage media. A storage medium can be any available medium that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer. Disk and disc includes compact discs (CD), laser discs, optical discs, digital versatile discs (DVD), floppy disks and blu-ray discs. Generally, disks reproduce data magnetically, and discs reproduce data optically. Combinations of the above should also be included within the scope of computer-readable media.
  • In addition to storage on computer-readable medium, instructions and/or data can be provided as signals on transmission media included in a communication apparatus. For example, a communication apparatus includes a transceiver having signals indicative of instructions and data. The instructions and data can be configured to cause one or more processors to implement the functions outlined in the claims.
  • Although the present disclosure and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the disclosure as defined by the appended claims. Moreover, the scope of the present application is not intended to be limited to the particular embodiments of the process, machine, manufacture, composition of matter, means, methods and steps described in the specification. As one of ordinary skill in the art will readily appreciate from the present invention, disclosure, machines, manufacture, compositions of matter, means, methods, or steps, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding embodiments described herein can be utilized according to the present disclosure. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or steps.

Claims (20)

1. A method for mapping Internet Protocol (IP) addresses to an entity, the method comprising:
determining, by a processor operating at a node in a network, one or more variations of at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources over the network that mention a variation of the at least one domain name;
identifying, by the processor, one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources; and
assigning, by the processor, a weight to each of the identified one or more IP addresses based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name; wherein assigning a weight comprises;
assigning a first weight to an IP address of the identified one or more IP addresses that maps to multiple of the one or more variations of the at least one domain name and
assigning a second weight to an IP address of the identified one or more IP addresses that maps to only one of the one or more variations of the at least one domain name;
where the first weight is greater than the second weight.
2. The method of claim 1, wherein identifying one or more IP addresses comprises collecting one or more IP addresses that map to the one or more variations of the at least one domain name.
3. The method of claim 1, further comprising:
mapping IP addresses to the entity based on analysis of the first weighted one or more IP addresses and the second weighted or more IP addresses.
4. The method of claim 3, further comprising adjusting the created mapping of IP addresses based on user input.
5. The method of claim 3, further comprising adjusting or maintaining up-to-date the created mapping of IP addresses by periodically performing the foregoing steps of receiving, determining, identifying, assigning, and creating.
6. The method of claim 1, further comprising:
associating IP addresses with one or more networks that do not include the entity based on a detection of IP addresses not having access to data internal to the entity.
7. The method of claim 6, wherein the networks other than the entity comprise at least one of a Wi-Fi, third-party hosting, guest, or security network.
8. A computer program product, comprising:
a non-transitory computer-readable medium comprising instructions which, when executed by a processor of a computing system, cause the processor to perform the steps of:
determining one or more variations of at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name;
identifying one or more IP addresses pointed to by the one or more variations of the at least one domain name based on analysis of IP address data collected from a plurality of IP address data sources; and
assigning a weight to each of the identified one or more IP addresses based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name, wherein assigning a weight comprises:
assigning a first weight to an IP address of the identified one or more IP addresses that maps to multiple of the one or more variations of the at least one domain name, and
assigning a second weight to an IP address of the identified one or more IP addresses that maps to only one of the one or more variations of the at least one domain name
where the first weight is greater than the second weight.
9. The computer program product of claim 8, wherein identifying one or more IP addresses comprises collecting one or more IP addresses that map to the one or more variations of the at least one domain name.
10. The computer program product of claim 8, wherein the medium further comprises instructions to cause the processor further perform:
mapping IP addresses to the entity based on analysis of the first weighted one or more IP addresses and the second weighted one or more IP addresses.
11. The computer program product of claim 8, wherein the medium further comprises instructions to cause the processor to perform:
adjusting the created mapping of IP addresses based on user input.
12. The computer program product of claim 8, wherein the medium further comprises instructions to cause the processor to perform:
adjusting or maintaining up-to-date the created mapping of IP addresses by periodically performing the foregoing steps of receiving, determining, identifying, assigning, and creating.
13. The computer program product of claim 10, wherein the medium further comprises instructions to cause the processor to perform: associating IP addresses with one or more networks that do not include the entity based on a detection of IP addresses not having access to data internal to the entity.
14. The computer program product of claim 8, wherein the networks other than the entity comprise at least one of a Wi-Fi, third-party hosting, guest, or security network.
15. An apparatus, comprising:
a memory; and
a processor coupled to the memory, the processor configured to execute the steps of:
determining one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name;
identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources; and
assigning a weight to each of the identified one or more IP addresses based on a correlation between each of the identified one or more IP addresses and the one or more variations of the at least one domain name, wherein assigning a weight comprises:
assigning a first weight to an IP address of the identified one or more IP addresses that maps to multiple of the one or more variations of the at least one domain name, and
assigning a second weight to an IP address of the identified one or more IP addresses that maps to only one of the one or more variations of the at least one domain name:
where the first weight is greater than the second weight.
16. The apparatus of claim 15, wherein identifying one or more IP addresses comprises collecting one or more IP addresses that map to the one or more variations of the at least one domain name.
17. The apparatus of claim 15, wherein the processor is further configured to:
map IP addresses to the entity based on analysis of the first weighted one or more IP addresses and the second weighted one or more IP addresses.
18. The apparatus of claim 15, wherein the processor is further configured to:
adjust the created mapping of IP addresses based on user input.
19. The apparatus of claim 15, wherein the processor is further configured to:
adjust or maintain the created mapping of IP addresses by periodically performing the foregoing steps of receiving, determining, identifying, assigning, and creating.
20. The apparatus of claim 15, wherein the processor is further configured to:
associate IP addresses with one or more networks that do not include the entity based on a detection of IP addresses not having access to data internal to the entity, wherein the one or more networks comprise at least one of a Wi-Fi, third-party hosting, guest, or security network.
US14/702,668 2014-12-13 2015-05-01 Entity IP mapping Active US9372994B1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
US14/702,668 US9372994B1 (en) 2014-12-13 2015-05-01 Entity IP mapping
US15/155,745 US10491620B2 (en) 2014-12-13 2016-05-16 Entity IP mapping
US16/582,037 US10931704B2 (en) 2014-12-13 2019-09-25 Entity IP mapping
US17/182,074 US11750637B2 (en) 2014-12-13 2021-02-22 Entity IP mapping
US18/309,670 US12041073B2 (en) 2014-12-13 2023-04-28 Entity IP mapping
US18/744,908 US20240340304A1 (en) 2014-12-13 2024-06-17 Entity ip mapping

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201462091478P 2014-12-13 2014-12-13
US201462091477P 2014-12-13 2014-12-13
US14/702,668 US9372994B1 (en) 2014-12-13 2015-05-01 Entity IP mapping

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/155,745 Continuation US10491620B2 (en) 2014-12-13 2016-05-16 Entity IP mapping

Publications (2)

Publication Number Publication Date
US20160171217A1 true US20160171217A1 (en) 2016-06-16
US9372994B1 US9372994B1 (en) 2016-06-21

Family

ID=55487536

Family Applications (22)

Application Number Title Priority Date Filing Date
US14/702,661 Active US9501647B2 (en) 2014-12-13 2015-05-01 Calculating and benchmarking an entity's cybersecurity risk score
US14/702,668 Active US9372994B1 (en) 2014-12-13 2015-05-01 Entity IP mapping
US14/702,666 Abandoned US20160171415A1 (en) 2014-12-13 2015-05-01 Cybersecurity risk assessment on an industry basis
US14/702,667 Active US9641547B2 (en) 2014-12-13 2015-05-01 Entity IP mapping
US14/702,664 Active US9294498B1 (en) 2014-12-13 2015-05-01 Online portal for improving cybersecurity risk scores
US15/072,168 Active US10491619B2 (en) 2014-12-13 2016-03-16 Online portal for improving cybersecurity risk scores
US15/155,745 Active 2035-12-23 US10491620B2 (en) 2014-12-13 2016-05-16 Entity IP mapping
US15/333,099 Active US10498756B2 (en) 2014-12-13 2016-10-24 Calculating and benchmarking an entity's cybersecurity risk score
US15/443,700 Active US10230753B2 (en) 2014-12-13 2017-02-27 Entity IP mapping
US16/299,040 Active US10560474B2 (en) 2014-12-13 2019-03-11 Entity IP mapping
US16/582,037 Active US10931704B2 (en) 2014-12-13 2019-09-25 Entity IP mapping
US16/690,223 Active US11336677B2 (en) 2014-12-13 2019-11-21 Online portal for improving cybersecurity risk scores
US16/723,452 Active US11140192B2 (en) 2014-12-13 2019-12-20 Entity IP mapping
US16/833,365 Active US11451572B2 (en) 2014-12-13 2020-03-27 Online portal for improving cybersecurity risk scores
US16/932,560 Active US10848517B1 (en) 2014-12-13 2020-07-17 Cybersecurity risk assessment on an industry basis
US17/102,359 Active 2036-02-01 US11785037B2 (en) 2014-12-13 2020-11-23 Cybersecurity risk assessment on an industry basis
US17/182,074 Active US11750637B2 (en) 2014-12-13 2021-02-22 Entity IP mapping
US17/493,592 Active 2035-05-06 US11916952B2 (en) 2014-12-13 2021-10-04 Entity IP mapping
US18/309,670 Active US12041073B2 (en) 2014-12-13 2023-04-28 Entity IP mapping
US18/466,876 Pending US20240007496A1 (en) 2014-12-13 2023-09-14 Cybersecurity risk assessment on an industry basis
US18/427,778 Pending US20240171604A1 (en) 2014-12-13 2024-01-30 Entity ip mapping
US18/744,908 Pending US20240340304A1 (en) 2014-12-13 2024-06-17 Entity ip mapping

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/702,661 Active US9501647B2 (en) 2014-12-13 2015-05-01 Calculating and benchmarking an entity's cybersecurity risk score

Family Applications After (20)

Application Number Title Priority Date Filing Date
US14/702,666 Abandoned US20160171415A1 (en) 2014-12-13 2015-05-01 Cybersecurity risk assessment on an industry basis
US14/702,667 Active US9641547B2 (en) 2014-12-13 2015-05-01 Entity IP mapping
US14/702,664 Active US9294498B1 (en) 2014-12-13 2015-05-01 Online portal for improving cybersecurity risk scores
US15/072,168 Active US10491619B2 (en) 2014-12-13 2016-03-16 Online portal for improving cybersecurity risk scores
US15/155,745 Active 2035-12-23 US10491620B2 (en) 2014-12-13 2016-05-16 Entity IP mapping
US15/333,099 Active US10498756B2 (en) 2014-12-13 2016-10-24 Calculating and benchmarking an entity's cybersecurity risk score
US15/443,700 Active US10230753B2 (en) 2014-12-13 2017-02-27 Entity IP mapping
US16/299,040 Active US10560474B2 (en) 2014-12-13 2019-03-11 Entity IP mapping
US16/582,037 Active US10931704B2 (en) 2014-12-13 2019-09-25 Entity IP mapping
US16/690,223 Active US11336677B2 (en) 2014-12-13 2019-11-21 Online portal for improving cybersecurity risk scores
US16/723,452 Active US11140192B2 (en) 2014-12-13 2019-12-20 Entity IP mapping
US16/833,365 Active US11451572B2 (en) 2014-12-13 2020-03-27 Online portal for improving cybersecurity risk scores
US16/932,560 Active US10848517B1 (en) 2014-12-13 2020-07-17 Cybersecurity risk assessment on an industry basis
US17/102,359 Active 2036-02-01 US11785037B2 (en) 2014-12-13 2020-11-23 Cybersecurity risk assessment on an industry basis
US17/182,074 Active US11750637B2 (en) 2014-12-13 2021-02-22 Entity IP mapping
US17/493,592 Active 2035-05-06 US11916952B2 (en) 2014-12-13 2021-10-04 Entity IP mapping
US18/309,670 Active US12041073B2 (en) 2014-12-13 2023-04-28 Entity IP mapping
US18/466,876 Pending US20240007496A1 (en) 2014-12-13 2023-09-14 Cybersecurity risk assessment on an industry basis
US18/427,778 Pending US20240171604A1 (en) 2014-12-13 2024-01-30 Entity ip mapping
US18/744,908 Pending US20240340304A1 (en) 2014-12-13 2024-06-17 Entity ip mapping

Country Status (1)

Country Link
US (22) US9501647B2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109005118A (en) * 2018-08-21 2018-12-14 中国平安人寿保险股份有限公司 Search method, apparatus, computer equipment and the storage medium of CDN source station address
US10491620B2 (en) * 2014-12-13 2019-11-26 SecurityScorecare, Inc. Entity IP mapping

Families Citing this family (286)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9773288B2 (en) * 2009-11-17 2017-09-26 Endera Systems, Llc Radial data visualization system
US10805331B2 (en) 2010-09-24 2020-10-13 BitSight Technologies, Inc. Information technology security assessment system
US8726379B1 (en) 2011-07-15 2014-05-13 Norse Corporation Systems and methods for dynamic protection from electronic attacks
US20170004521A1 (en) * 2011-07-25 2017-01-05 Prevedere, Inc Systems and methods for generating industry outlook scores
US10559009B1 (en) * 2013-03-15 2020-02-11 Semcasting, Inc. System and method for linking qualified audiences with relevant media advertising through IP media zones
US9438615B2 (en) 2013-09-09 2016-09-06 BitSight Technologies, Inc. Security risk management
US11405410B2 (en) 2014-02-24 2022-08-02 Cyphort Inc. System and method for detecting lateral movement and data exfiltration
EP3111363A4 (en) * 2014-02-28 2017-10-04 Temporal Defense Systems, LLC Security evaluation systems and methods
US9838260B1 (en) 2014-03-25 2017-12-05 Amazon Technologies, Inc. Event-based data path detection
US10467423B1 (en) 2014-03-26 2019-11-05 Amazon Technologies, Inc. Static analysis-based tracking of data in access-controlled systems
JP5884000B1 (en) * 2014-04-01 2016-03-15 株式会社テイエルブイ Risk assessment system for process system, risk assessment program, and risk assessment method
US10474820B2 (en) * 2014-06-17 2019-11-12 Hewlett Packard Enterprise Development Lp DNS based infection scores
US10546122B2 (en) 2014-06-27 2020-01-28 Endera Systems, Llc Radial data visualization system
US20190018968A1 (en) * 2014-07-17 2019-01-17 Venafi, Inc. Security reliance scoring for cryptographic material and processes
US9942250B2 (en) 2014-08-06 2018-04-10 Norse Networks, Inc. Network appliance for dynamic protection from risky network activities
US9887984B2 (en) 2014-10-24 2018-02-06 Temporal Defense Systems, Llc Autonomous system for secure electric system access
US9544325B2 (en) * 2014-12-11 2017-01-10 Zerofox, Inc. Social network security monitoring
US10728272B1 (en) * 2014-12-17 2020-07-28 Amazon Technologies, Inc. Risk scoring in a connected graph
US9800605B2 (en) * 2015-01-30 2017-10-24 Securonix, Inc. Risk scoring for threat assessment
USD814494S1 (en) 2015-03-02 2018-04-03 Norse Networks, Inc. Computer display panel with an icon image of a live electronic threat intelligence visualization interface
USD810775S1 (en) 2015-04-21 2018-02-20 Norse Networks, Inc. Computer display panel with a graphical live electronic threat intelligence visualization interface
US9923915B2 (en) * 2015-06-02 2018-03-20 C3 Iot, Inc. Systems and methods for providing cybersecurity analysis based on operational technologies and information technologies
US10536357B2 (en) 2015-06-05 2020-01-14 Cisco Technology, Inc. Late data detection in data center
US10142353B2 (en) 2015-06-05 2018-11-27 Cisco Technology, Inc. System for monitoring and managing datacenters
US9923914B2 (en) * 2015-06-30 2018-03-20 Norse Networks, Inc. Systems and platforms for intelligently monitoring risky network activities
US11282017B2 (en) 2015-07-11 2022-03-22 RiskRecon Inc. Systems and methods for monitoring information security effectiveness
US10032031B1 (en) * 2015-08-27 2018-07-24 Amazon Technologies, Inc. Detecting unknown software vulnerabilities and system compromises
US10044736B1 (en) 2015-09-21 2018-08-07 ThreatConnect, Inc. Methods and apparatus for identifying and characterizing computer network infrastructure involved in malicious activity
US20170134418A1 (en) * 2015-10-16 2017-05-11 Daniel Minoli System and method for a uniform measure and assessement of an institution's aggregate cyber security risk and of the institution's cybersecurity confidence index.
US10853883B2 (en) * 2015-10-28 2020-12-01 Qomplx, Inc. Cybersecurity profile generated using a simulation engine
US11070592B2 (en) * 2015-10-28 2021-07-20 Qomplx, Inc. System and method for self-adjusting cybersecurity analysis and score generation
US11514531B2 (en) 2015-10-28 2022-11-29 Qomplx, Inc. Platform for autonomous risk assessment and quantification for cyber insurance policies
US10970787B2 (en) * 2015-10-28 2021-04-06 Qomplx, Inc. Platform for live issuance and management of cyber insurance policies
US20220014555A1 (en) 2015-10-28 2022-01-13 Qomplx, Inc. Distributed automated planning and execution platform for designing and running complex processes
WO2017095727A1 (en) * 2015-11-30 2017-06-08 Jpmorgan Chase Bank, N.A. Systems and methods for software security scanning employing a scan quality index
AU2016367922B2 (en) * 2015-12-11 2019-08-08 Servicenow, Inc. Computer network threat assessment
US9860250B2 (en) * 2015-12-14 2018-01-02 Mastercard International Incorporated Systems and methods for use in indexing applications based on security standards
US9871797B2 (en) 2016-02-09 2018-01-16 Lookingglass Cyber Solutions, Inc. Information security apparatus and methods for credential dump authenticity verification
US11182720B2 (en) 2016-02-16 2021-11-23 BitSight Technologies, Inc. Relationships among technology assets and services and the entities responsible for them
US10268976B2 (en) 2016-02-17 2019-04-23 SecurityScorecard, Inc. Non-intrusive techniques for discovering and using organizational relationships
US10075456B1 (en) * 2016-03-04 2018-09-11 Symantec Corporation Systems and methods for detecting exploit-kit landing pages
US20220164840A1 (en) 2016-04-01 2022-05-26 OneTrust, LLC Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design
US10860715B2 (en) * 2016-05-26 2020-12-08 Barracuda Networks, Inc. Method and apparatus for proactively identifying and mitigating malware attacks via hosted web assets
US10313383B2 (en) * 2016-06-01 2019-06-04 Mastercard International Incorporated Systems and methods for use in evaluating vulnerability risks associated with payment applications
US11416109B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Automated data processing systems and methods for automatically processing data subject access requests using a chatbot
US12136055B2 (en) 2016-06-10 2024-11-05 OneTrust, LLC Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques
US12052289B2 (en) 2016-06-10 2024-07-30 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US11438386B2 (en) 2016-06-10 2022-09-06 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US11675929B2 (en) 2016-06-10 2023-06-13 OneTrust, LLC Data processing consent sharing systems and related methods
US10997318B2 (en) 2016-06-10 2021-05-04 OneTrust, LLC Data processing systems for generating and populating a data inventory for processing data access requests
US11392720B2 (en) 2016-06-10 2022-07-19 OneTrust, LLC Data processing systems for verification of consent and notice processing and related methods
US11366909B2 (en) 2016-06-10 2022-06-21 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US11366786B2 (en) * 2016-06-10 2022-06-21 OneTrust, LLC Data processing systems for processing data subject access requests
US10592648B2 (en) 2016-06-10 2020-03-17 OneTrust, LLC Consent receipt management systems and related methods
US11343284B2 (en) 2016-06-10 2022-05-24 OneTrust, LLC Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance
US10949565B2 (en) 2016-06-10 2021-03-16 OneTrust, LLC Data processing systems for generating and populating a data inventory
US11625502B2 (en) 2016-06-10 2023-04-11 OneTrust, LLC Data processing systems for identifying and modifying processes that are subject to data subject access requests
US11222139B2 (en) 2016-06-10 2022-01-11 OneTrust, LLC Data processing systems and methods for automatic discovery and assessment of mobile software development kits
US10909265B2 (en) 2016-06-10 2021-02-02 OneTrust, LLC Application privacy scanning systems and related methods
US11410106B2 (en) 2016-06-10 2022-08-09 OneTrust, LLC Privacy management systems and methods
US11416798B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing systems and methods for providing training in a vendor procurement process
US11544667B2 (en) 2016-06-10 2023-01-03 OneTrust, LLC Data processing systems for generating and populating a data inventory
US11651104B2 (en) 2016-06-10 2023-05-16 OneTrust, LLC Consent receipt management systems and related methods
US10846433B2 (en) 2016-06-10 2020-11-24 OneTrust, LLC Data processing consent management systems and related methods
US11416590B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US11475136B2 (en) 2016-06-10 2022-10-18 OneTrust, LLC Data processing systems for data transfer risk identification and related methods
US11188862B2 (en) 2016-06-10 2021-11-30 OneTrust, LLC Privacy management systems and methods
US11727141B2 (en) 2016-06-10 2023-08-15 OneTrust, LLC Data processing systems and methods for synching privacy-related user consent across multiple computing devices
US11301796B2 (en) 2016-06-10 2022-04-12 OneTrust, LLC Data processing systems and methods for customizing privacy training
US11651106B2 (en) 2016-06-10 2023-05-16 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US11354435B2 (en) 2016-06-10 2022-06-07 OneTrust, LLC Data processing systems for data testing to confirm data deletion and related methods
US11481710B2 (en) 2016-06-10 2022-10-25 OneTrust, LLC Privacy management systems and methods
US11328092B2 (en) 2016-06-10 2022-05-10 OneTrust, LLC Data processing systems for processing and managing data subject access in a distributed environment
US12118121B2 (en) 2016-06-10 2024-10-15 OneTrust, LLC Data subject access request processing systems and related methods
US10318761B2 (en) 2016-06-10 2019-06-11 OneTrust, LLC Data processing systems and methods for auditing data request compliance
US11416589B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US11461500B2 (en) 2016-06-10 2022-10-04 OneTrust, LLC Data processing systems for cookie compliance testing with website scanning and related methods
US10740487B2 (en) 2016-06-10 2020-08-11 OneTrust, LLC Data processing systems and methods for populating and maintaining a centralized database of personal data
US11222142B2 (en) 2016-06-10 2022-01-11 OneTrust, LLC Data processing systems for validating authorization for personal data collection, storage, and processing
US11341447B2 (en) 2016-06-10 2022-05-24 OneTrust, LLC Privacy management systems and methods
US11227247B2 (en) 2016-06-10 2022-01-18 OneTrust, LLC Data processing systems and methods for bundled privacy policies
US11188615B2 (en) 2016-06-10 2021-11-30 OneTrust, LLC Data processing consent capture systems and related methods
US10510031B2 (en) 2016-06-10 2019-12-17 OneTrust, LLC Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques
US10678945B2 (en) 2016-06-10 2020-06-09 OneTrust, LLC Consent receipt management systems and related methods
US10909488B2 (en) 2016-06-10 2021-02-02 OneTrust, LLC Data processing systems for assessing readiness for responding to privacy-related incidents
US11520928B2 (en) 2016-06-10 2022-12-06 OneTrust, LLC Data processing systems for generating personal data receipts and related methods
US11562097B2 (en) 2016-06-10 2023-01-24 OneTrust, LLC Data processing systems for central consent repository and related methods
US11336697B2 (en) 2016-06-10 2022-05-17 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US10878127B2 (en) 2016-06-10 2020-12-29 OneTrust, LLC Data subject access request processing systems and related methods
US11403377B2 (en) 2016-06-10 2022-08-02 OneTrust, LLC Privacy management systems and methods
US10685140B2 (en) 2016-06-10 2020-06-16 OneTrust, LLC Consent receipt management systems and related methods
US11134086B2 (en) 2016-06-10 2021-09-28 OneTrust, LLC Consent conversion optimization systems and related methods
US10284604B2 (en) 2016-06-10 2019-05-07 OneTrust, LLC Data processing and scanning systems for generating and populating a data inventory
US11294939B2 (en) 2016-06-10 2022-04-05 OneTrust, LLC Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software
US11418492B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing systems and methods for using a data model to select a target data asset in a data migration
US11636171B2 (en) 2016-06-10 2023-04-25 OneTrust, LLC Data processing user interface monitoring systems and related methods
US11354434B2 (en) 2016-06-10 2022-06-07 OneTrust, LLC Data processing systems for verification of consent and notice processing and related methods
US12045266B2 (en) 2016-06-10 2024-07-23 OneTrust, LLC Data processing systems for generating and populating a data inventory
US11586700B2 (en) 2016-06-10 2023-02-21 OneTrust, LLC Data processing systems and methods for automatically blocking the use of tracking tools
US11295316B2 (en) 2016-06-10 2022-04-05 OneTrust, LLC Data processing systems for identity validation for consumer rights requests and related methods
US11010717B2 (en) * 2016-06-21 2021-05-18 The Prudential Insurance Company Of America Tool for improving network security
US10757139B1 (en) * 2016-06-28 2020-08-25 Amazon Technologies, Inc. Assessing and reporting security risks of an application program interface
US10938844B2 (en) 2016-07-22 2021-03-02 At&T Intellectual Property I, L.P. Providing security through characterizing mobile traffic by domain names
US10372915B2 (en) * 2016-07-29 2019-08-06 Jpmorgan Chase Bank, N.A. Cybersecurity vulnerability management systems and method
US10410158B1 (en) * 2016-07-29 2019-09-10 Symantec Corporation Systems and methods for evaluating cybersecurity risk
US10250631B2 (en) * 2016-08-11 2019-04-02 Balbix, Inc. Risk modeling
US10320829B1 (en) * 2016-08-11 2019-06-11 Balbix, Inc. Comprehensive modeling and mitigation of security risk vulnerabilities in an enterprise network
US10521590B2 (en) * 2016-09-01 2019-12-31 Microsoft Technology Licensing Llc Detection dictionary system supporting anomaly detection across multiple operating environments
US11301550B2 (en) * 2016-09-07 2022-04-12 Cylance Inc. Computer user authentication using machine learning
US10157285B2 (en) 2016-10-14 2018-12-18 Bank Of America Corporation Dynamic requirements mapping
IT201600103610A1 (en) * 2016-10-17 2018-04-17 London Cyber Security L T D METHOD FOR CALCULATING THE RISK OF COMPUTERIZED VULNERABILITY OF AN ORGANIZATION
US20180121658A1 (en) * 2016-10-27 2018-05-03 Gemini Cyber, Inc. Cyber risk assessment and management system and method
US10212184B2 (en) 2016-10-27 2019-02-19 Opaq Networks, Inc. Method for the continuous calculation of a cyber security risk index
CN106357692A (en) * 2016-11-08 2017-01-25 广州华多网络科技有限公司 IP address access method and forged source attack resistance method, device and server
EP3545418A4 (en) 2016-11-22 2020-08-12 AON Global Operations PLC, Singapore Branch Systems and methods for cybersecurity risk assessment
US10171510B2 (en) 2016-12-14 2019-01-01 CyberSaint, Inc. System and method for monitoring and grading a cybersecurity framework
US10412111B2 (en) * 2016-12-30 2019-09-10 eSentire, Inc. System and method for determining network security threats
US20180189697A1 (en) * 2016-12-30 2018-07-05 Lookingglass Cyber Solutions, Inc. Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset
KR101781450B1 (en) * 2017-01-03 2017-09-25 한국인터넷진흥원 Method and Apparatus for Calculating Risk of Cyber Attack
US10484399B1 (en) * 2017-02-16 2019-11-19 Symantec Corporation Systems and methods for detecting low-density training regions of machine-learning classification systems
US10791136B2 (en) * 2017-03-20 2020-09-29 Fair Isaac Corporation System and method for empirical organizational cybersecurity risk assessment using externally-visible data
US10313386B1 (en) * 2017-03-28 2019-06-04 Symantec Corporation Systems and methods for assessing security risks of users of computer networks of organizations
US10958617B2 (en) * 2017-04-10 2021-03-23 Verisign, Inc. Systems and methods for using domain name system context based response records
US10339321B2 (en) * 2017-05-02 2019-07-02 Dignity Health Cybersecurity maturity forecasting tool/dashboard
US11632382B2 (en) 2017-05-15 2023-04-18 Forcepoint Llc Anomaly detection using endpoint counters
US10999296B2 (en) 2017-05-15 2021-05-04 Forcepoint, LLC Generating adaptive trust profiles using information derived from similarly situated organizations
US11949700B2 (en) 2017-05-15 2024-04-02 Forcepoint Llc Using content stored in an entity behavior catalog in combination with an entity risk score
US10013577B1 (en) 2017-06-16 2018-07-03 OneTrust, LLC Data processing systems for identifying whether cookies contain personally identifying information
US10440047B2 (en) * 2017-06-22 2019-10-08 Symantec Corporation Systems and methods for mapping internet protocol addresses for an organization
US10425380B2 (en) 2017-06-22 2019-09-24 BitSight Technologies, Inc. Methods for mapping IP addresses and domains to organizations using user activity data
US9930062B1 (en) 2017-06-26 2018-03-27 Factory Mutual Insurance Company Systems and methods for cyber security risk assessment
US10776878B1 (en) * 2017-06-29 2020-09-15 State Farm Mutual Automobile Insurance Company Social media data aggregation to optimize underwriting
US10318729B2 (en) * 2017-07-26 2019-06-11 Forcepoint, LLC Privacy protection during insider threat monitoring
US10217071B2 (en) * 2017-07-28 2019-02-26 SecurityScorecard, Inc. Reducing cybersecurity risk level of a portfolio of companies using a cybersecurity risk multiplier
US10614401B2 (en) 2017-07-28 2020-04-07 SecurityScorecard, Inc. Reducing cybersecurity risk level of portfolio of companies using a cybersecurity risk multiplier
US10868824B2 (en) 2017-07-31 2020-12-15 Zerofox, Inc. Organizational social threat reporting
US10999324B2 (en) 2017-08-01 2021-05-04 Forcepoint, LLC Direct-connect web endpoint
US10904282B2 (en) * 2017-08-08 2021-01-26 American International Group, Inc. System and method for assessing cybersecurity risk of computer network
WO2019050557A1 (en) * 2017-08-15 2019-03-14 Fractal Industries, Inc. Cybersecurity profile generated using a simulation engine
US11418527B2 (en) 2017-08-22 2022-08-16 ZeroFOX, Inc Malicious social media account identification
US11403400B2 (en) 2017-08-31 2022-08-02 Zerofox, Inc. Troll account detection
WO2019055235A1 (en) * 2017-09-14 2019-03-21 Siemens Corporation System and method to check automation system project security vulnerabilities
US20190116193A1 (en) 2017-10-17 2019-04-18 Yanlin Wang Risk assessment for network access control through data analytics
US11892897B2 (en) 2017-11-03 2024-02-06 Arizona Board Of Regents On Behalf Of Arizona State University Systems and methods for predicting which software vulnerabilities will be exploited by malicious hackers to prioritize for patching
CN108881151B (en) * 2017-12-29 2021-08-03 哈尔滨安天科技集团股份有限公司 Joint-point-free determination method and device and electronic equipment
CN108062423B (en) * 2018-01-24 2019-04-19 北京百度网讯科技有限公司 Information-pushing method and device
WO2019152710A1 (en) 2018-01-31 2019-08-08 Aon Risk Consultants, Inc. System and methods for vulnerability assessment and provisioning of related services and products for efficient risk suppression
US11368483B1 (en) * 2018-02-13 2022-06-21 Akamai Technologies, Inc. Low touch integration of a bot detection service in association with a content delivery network
EP3762851A4 (en) * 2018-03-05 2021-11-10 Ezotech Inc. Automated security testing system and method
JP6977625B2 (en) * 2018-03-07 2021-12-08 富士通株式会社 Evaluation program, evaluation method and evaluation device
US10257219B1 (en) 2018-03-12 2019-04-09 BitSight Technologies, Inc. Correlated risk in cybersecurity
US10791137B2 (en) 2018-03-14 2020-09-29 Synack, Inc. Risk assessment and remediation
JP7172104B2 (en) * 2018-04-06 2022-11-16 富士通株式会社 NETWORK MONITORING DEVICE, NETWORK MONITORING PROGRAM AND NETWORK MONITORING METHOD
US10812520B2 (en) 2018-04-17 2020-10-20 BitSight Technologies, Inc. Systems and methods for external detection of misconfigured systems
US10915638B2 (en) * 2018-05-16 2021-02-09 Target Brands Inc. Electronic security evaluator
WO2020065392A2 (en) * 2018-05-22 2020-04-02 Arx Nimbus Llc Cybersecurity quantitative analysis software as a service
WO2019225008A1 (en) * 2018-05-25 2019-11-28 三菱電機株式会社 Security risk evaluation device, security risk evaluation method and security risk evaluation program
US11709946B2 (en) 2018-06-06 2023-07-25 Reliaquest Holdings, Llc Threat mitigation system and method
US11588838B2 (en) 2018-06-06 2023-02-21 Reliaquest Holdings, Llc Threat mitigation system and method
US10771504B2 (en) * 2018-06-09 2020-09-08 NortonLifeLock Inc. Systems and methods for identifying data breaches
DE102018113994A1 (en) 2018-06-12 2019-12-12 IT-Seal GmbH A method of determining a level of deception for a single phishing attack against a person
US11050792B2 (en) * 2018-07-05 2021-06-29 Cisco Technology, Inc. Dynamic DNS policy enforcement based on endpoint security posture
US11531762B2 (en) * 2018-08-10 2022-12-20 Jpmorgan Chase Bank, N.A. Method and apparatus for management of vulnerability disclosures
US11146584B1 (en) * 2018-08-16 2021-10-12 5thColumn LLC Methods, apparatuses, systems and devices for network security
US10803202B2 (en) 2018-09-07 2020-10-13 OneTrust, LLC Data processing systems for orphaned data identification and deletion and related methods
US11544409B2 (en) 2018-09-07 2023-01-03 OneTrust, LLC Data processing systems and methods for automatically protecting sensitive data within privacy management systems
US11200323B2 (en) 2018-10-17 2021-12-14 BitSight Technologies, Inc. Systems and methods for forecasting cybersecurity ratings based on event-rate scenarios
US11093618B2 (en) * 2018-10-23 2021-08-17 Jpmorgan Chase Bank, N.A. Systems and methods for using an application control prioritization index
US10521583B1 (en) 2018-10-25 2019-12-31 BitSight Technologies, Inc. Systems and methods for remote detection of software through browser webinjects
EP3874379A4 (en) * 2018-10-30 2022-07-20 Valimail Inc. Signed message header storing sender account authentication method
US10885186B2 (en) 2018-11-13 2021-01-05 Forcepoint, LLC System and method for operating a protected endpoint device
US10880328B2 (en) * 2018-11-16 2020-12-29 Accenture Global Solutions Limited Malware detection
CN109729069B (en) * 2018-11-26 2021-12-28 武汉极意网络科技有限公司 Abnormal IP address detection method and device and electronic equipment
US11625486B2 (en) * 2018-12-04 2023-04-11 Safe Securities Inc. Methods and systems of a cybersecurity scoring model
WO2020141486A1 (en) * 2019-01-03 2020-07-09 Virta Laboratories, Inc. Systems and methods for facilitating cybersecurity risk management of computing assets
US20200401961A1 (en) * 2019-01-22 2020-12-24 Recorded Future, Inc. Automated organizational security scoring system
WO2020160166A1 (en) 2019-01-31 2020-08-06 Aon Risk Consultants, Inc. Systems and methods for vulnerability assessment and remedy identification
US11461458B2 (en) * 2019-02-28 2022-10-04 SpyCloud, Inc. Measuring data-breach propensity
US10546135B1 (en) 2019-03-06 2020-01-28 SecurityScorecard, Inc. Inquiry response mapping for determining a cybersecurity risk level of an entity
US11625482B2 (en) 2019-03-18 2023-04-11 Recorded Future, Inc. Cross-network security evaluation
US11363051B2 (en) 2019-04-01 2022-06-14 Armis Security Ltd. System and method for mitigating cyber security threats by devices using risk factors
WO2020231845A1 (en) 2019-05-10 2020-11-19 Cybeta, LLC System and method for cyber security threat assessment
US10609578B1 (en) * 2019-05-16 2020-03-31 At&T Intellectual Property I, L.P. Methods, systems and computer readable media for predicting risk in network elements using machine learning
CN110099131A (en) * 2019-05-17 2019-08-06 网宿科技股份有限公司 A kind of domain name analytic method and device
US11736508B2 (en) * 2019-05-29 2023-08-22 Johnson Controls Tyco IP Holdings LLP System and method for managing the security health of a network device
US11310284B2 (en) 2019-05-31 2022-04-19 Varmour Networks, Inc. Validation of cloud security policies
US11863580B2 (en) 2019-05-31 2024-01-02 Varmour Networks, Inc. Modeling application dependencies to identify operational risk
US11290493B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Template-driven intent-based security
US11711374B2 (en) 2019-05-31 2023-07-25 Varmour Networks, Inc. Systems and methods for understanding identity and organizational access to applications within an enterprise environment
US11575563B2 (en) * 2019-05-31 2023-02-07 Varmour Networks, Inc. Cloud security management
US11290494B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Reliability prediction for cloud security policies
USD926810S1 (en) 2019-06-05 2021-08-03 Reliaquest Holdings, Llc Display screen or portion thereof with a graphical user interface
USD926809S1 (en) 2019-06-05 2021-08-03 Reliaquest Holdings, Llc Display screen or portion thereof with a graphical user interface
USD926811S1 (en) 2019-06-06 2021-08-03 Reliaquest Holdings, Llc Display screen or portion thereof with a graphical user interface
USD926200S1 (en) 2019-06-06 2021-07-27 Reliaquest Holdings, Llc Display screen or portion thereof with a graphical user interface
USD926782S1 (en) 2019-06-06 2021-08-03 Reliaquest Holdings, Llc Display screen or portion thereof with a graphical user interface
US10715493B1 (en) * 2019-07-03 2020-07-14 Centripetal Networks, Inc. Methods and systems for efficient cyber protections of mobile devices
US11582191B2 (en) 2019-07-03 2023-02-14 Centripetal Networks, Inc. Cyber protections of remote networks via selective policy enforcement at a central network
US10726136B1 (en) 2019-07-17 2020-07-28 BitSight Technologies, Inc. Systems and methods for generating security improvement plans for entities
US11232384B1 (en) * 2019-07-19 2022-01-25 The Boston Consulting Group, Inc. Methods and systems for determining cyber related projects to implement
US11238169B2 (en) 2019-08-08 2022-02-01 Allstate Insurance Company Privacy score
US11956265B2 (en) 2019-08-23 2024-04-09 BitSight Technologies, Inc. Systems and methods for inferring entity relationships via network communications of users or user devices
US11755742B2 (en) * 2019-08-28 2023-09-12 Johnson Controls Tyco IP Holdings LLP Building management system with cyber health dashboard
US11297090B2 (en) * 2019-09-11 2022-04-05 International Business Machines Corporation Security evaluation for computing workload relocation
US10848382B1 (en) 2019-09-26 2020-11-24 BitSight Technologies, Inc. Systems and methods for network asset discovery and association thereof with entities
US11032244B2 (en) 2019-09-30 2021-06-08 BitSight Technologies, Inc. Systems and methods for determining asset importance in security risk management
CN110728458B (en) * 2019-10-18 2022-07-29 支付宝(杭州)信息技术有限公司 Target object risk monitoring method and device and electronic equipment
US11750625B1 (en) * 2019-12-11 2023-09-05 Wells Fargo Bank, N.A. Data breach monitoring and remediation
US20220247776A1 (en) * 2019-12-18 2022-08-04 Cyberark Software Ltd. Analyzing and addressing security threats in network resources
US11323470B2 (en) * 2019-12-18 2022-05-03 Cyberark Software Ltd. Analyzing and addressing least-privilege security threats on a composite basis
US10791140B1 (en) 2020-01-29 2020-09-29 BitSight Technologies, Inc. Systems and methods for assessing cybersecurity state of entities based on computer network characterization
US11706248B2 (en) 2020-01-31 2023-07-18 Fidelis Cybersecurity, Inc. Aggregation and flow propagation of elements of cyber-risk in an enterprise
US10893067B1 (en) 2020-01-31 2021-01-12 BitSight Technologies, Inc. Systems and methods for rapidly generating security ratings
US10764298B1 (en) 2020-02-26 2020-09-01 BitSight Technologies, Inc. Systems and methods for improving a security profile of an entity based on peer security profiles
US11418531B2 (en) * 2020-03-18 2022-08-16 Cyberlab Inc. System and method for determining cybersecurity rating and risk scoring
US11587161B2 (en) * 2020-03-19 2023-02-21 Intuit Inc. Explainable complex model
US11539738B1 (en) * 2020-03-24 2022-12-27 Mcafee, Llc Methods, systems, and media for mitigating damage resulting from a website being an intermediary in a cyberattack
US11641369B1 (en) * 2020-03-26 2023-05-02 Gen Digital Inc. Systems and methods for managing digital personas for online services
WO2021202833A1 (en) * 2020-04-01 2021-10-07 Qomplx, Inc. A system and method for self-adjusting cybersecurity analysis and score generation
US11438363B2 (en) * 2020-04-03 2022-09-06 Zscaler, Inc. Network exposure detection and security assessment tool
US11768945B2 (en) 2020-04-07 2023-09-26 Allstate Insurance Company Machine learning system for determining a security vulnerability in computer software
US11830357B1 (en) * 2020-04-07 2023-11-28 Emmett Murphy Road user vulnerability state classification and reporting system and method
US11720686B1 (en) 2020-04-08 2023-08-08 Wells Fargo Bank, N.A. Security model utilizing multi-channel data with risk-entity facing cybersecurity alert engine and portal
US11706241B1 (en) 2020-04-08 2023-07-18 Wells Fargo Bank, N.A. Security model utilizing multi-channel data
US11777992B1 (en) 2020-04-08 2023-10-03 Wells Fargo Bank, N.A. Security model utilizing multi-channel data
US12015630B1 (en) 2020-04-08 2024-06-18 Wells Fargo Bank, N.A. Security model utilizing multi-channel data with vulnerability remediation circuitry
US10949543B1 (en) * 2020-04-22 2021-03-16 NormShield, Inc. System and method for scalable cyber-risk assessment of computer systems
US11734431B2 (en) * 2020-04-27 2023-08-22 Saudi Arabian Oil Company Method and system for assessing effectiveness of cybersecurity controls in an OT environment
US11556635B2 (en) 2020-04-28 2023-01-17 Bank Of America Corporation System for evaluation and weighting of resource usage activity
US20210360017A1 (en) * 2020-05-14 2021-11-18 Cynomi Ltd System and method of dynamic cyber risk assessment
US11023585B1 (en) 2020-05-27 2021-06-01 BitSight Technologies, Inc. Systems and methods for managing cybersecurity alerts
US11671314B2 (en) * 2020-06-11 2023-06-06 Dell Products L.P. Configuring HCI management network via management controller
US20220004643A1 (en) * 2020-07-02 2022-01-06 Cisco Technology, Inc. Automated mapping for identifying known vulnerabilities in software products
WO2022011142A1 (en) 2020-07-08 2022-01-13 OneTrust, LLC Systems and methods for targeted data discovery
WO2022026564A1 (en) 2020-07-28 2022-02-03 OneTrust, LLC Systems and methods for automatically blocking the use of tracking tools
US11475165B2 (en) 2020-08-06 2022-10-18 OneTrust, LLC Data processing systems and methods for automatically redacting unstructured data from a data subject access request
WO2022027572A1 (en) * 2020-08-07 2022-02-10 Nokia Shanghai Bell Co., Ltd. Security management service in management plane
WO2022046652A1 (en) * 2020-08-24 2022-03-03 CyberCatch, Inc. Automated and continuous cybersecurity assessment with measurement and scoring
WO2022060860A1 (en) 2020-09-15 2022-03-24 OneTrust, LLC Data processing systems and methods for detecting tools for the automatic blocking of consent requests
US11526624B2 (en) 2020-09-21 2022-12-13 OneTrust, LLC Data processing systems and methods for automatically detecting target data transfers and target data processing
US11444971B2 (en) * 2020-10-06 2022-09-13 Nozomi Networks Sagl Method for assessing the quality of network-related indicators of compromise
WO2022099023A1 (en) 2020-11-06 2022-05-12 OneTrust, LLC Systems and methods for identifying data processing activities based on data discovery results
US12062098B2 (en) * 2020-11-23 2024-08-13 Computed Futures Inc Systems and methods for detecting and mitigating cyber security threats
US20220180368A1 (en) * 2020-12-04 2022-06-09 Guardinex LLC Risk Detection, Assessment, And Mitigation Of Digital Third-Party Fraud
US11122073B1 (en) * 2020-12-11 2021-09-14 BitSight Technologies, Inc. Systems and methods for cybersecurity risk mitigation and management
US11876817B2 (en) 2020-12-23 2024-01-16 Varmour Networks, Inc. Modeling queue-based message-oriented middleware relationships in a security system
US11818152B2 (en) 2020-12-23 2023-11-14 Varmour Networks, Inc. Modeling topic-based message-oriented middleware within a security system
US11687528B2 (en) 2021-01-25 2023-06-27 OneTrust, LLC Systems and methods for discovery, classification, and indexing of data in a native computing system
US11799917B2 (en) 2021-01-25 2023-10-24 Saudi Arabian Oil Company System, method, and computing medium to remediate cybersecurity risks based on a risk rating
US12050693B2 (en) 2021-01-29 2024-07-30 Varmour Networks, Inc. System and method for attributing user behavior from multiple technical telemetry sources
US11777978B2 (en) 2021-01-29 2023-10-03 Varmour Networks, Inc. Methods and systems for accurately assessing application access risk
WO2022170047A1 (en) 2021-02-04 2022-08-11 OneTrust, LLC Managing custom attributes for domain objects defined within microservices
US20240111899A1 (en) 2021-02-08 2024-04-04 OneTrust, LLC Data processing systems and methods for anonymizing data samples in classification analysis
US11601464B2 (en) 2021-02-10 2023-03-07 OneTrust, LLC Systems and methods for mitigating risks of third-party computing system functionality integration into a first-party computing system
US20220261714A1 (en) * 2021-02-14 2022-08-18 Broadstone Technologies, Llc System and Method for Identifying and Predicting Risk
WO2022178089A1 (en) 2021-02-17 2022-08-25 OneTrust, LLC Managing custom workflows for domain objects defined within microservices
WO2022178219A1 (en) 2021-02-18 2022-08-25 OneTrust, LLC Selective redaction of media content
US11973788B2 (en) * 2021-03-08 2024-04-30 Tenable, Inc. Continuous scoring of security controls and dynamic tuning of security policies
US20240311497A1 (en) 2021-03-08 2024-09-19 OneTrust, LLC Data transfer discovery and analysis systems and related methods
US11838275B2 (en) 2021-03-12 2023-12-05 Forcepoint Llc Web endpoint device having automatic switching between proxied and non-proxied communication modes
US11677770B2 (en) * 2021-03-19 2023-06-13 International Business Machines Corporation Data retrieval for anomaly detection
US12079347B2 (en) 2021-03-31 2024-09-03 BitSight Technologies, Inc. Systems and methods for assessing cybersecurity risk in a work from home environment
US20220327216A1 (en) * 2021-04-07 2022-10-13 Bank Of America Corporation Dynamic event securitization and neural network analysis system
US11562078B2 (en) 2021-04-16 2023-01-24 OneTrust, LLC Assessing and managing computational risk involved with integrating third party computing functionality within a computing system
US11848956B2 (en) 2021-04-26 2023-12-19 Orca Security LTD. Systems and methods for disparate risk information aggregation
US12008379B2 (en) 2021-05-14 2024-06-11 Samsung Electronics Co., Ltd. Automotive image sensor, image processing system including the same and operating method thereof
US20220374527A1 (en) * 2021-05-23 2022-11-24 Todd Beebe Dynamic security event analysis and response testing
US11811807B2 (en) * 2021-05-27 2023-11-07 Microsoft Technology Licensing, Llc Conditional security measures using rolling set of risk scores
US20220405188A1 (en) * 2021-06-21 2022-12-22 Red Hat, Inc. Monitoring activity of an application prior to deployment
US11734316B2 (en) 2021-07-08 2023-08-22 Varmour Networks, Inc. Relationship-based search in a computing environment
US12058163B2 (en) 2021-08-10 2024-08-06 CyberSaint, Inc. Systems, media, and methods for utilizing a crosswalk algorithm to identify controls across frameworks, and for utilizing identified controls to generate cybersecurity risk assessments
US11509682B1 (en) 2021-09-15 2022-11-22 NormShield, Inc System and method for computation of ransomware susceptibility
US11949696B2 (en) 2021-12-17 2024-04-02 Bank Of America Corporation Data security system with dynamic intervention response
US11966477B2 (en) * 2022-01-11 2024-04-23 Musarubra Us Llc Methods and apparatus for generic process chain entity mapping
WO2023158873A2 (en) * 2022-02-21 2023-08-24 Cranium Ai, Inc. System and method for implementing an artificial intelligence security platform
US20230267113A1 (en) * 2022-02-23 2023-08-24 Dell Products L.P. Dcf confidence score aging
US20230281314A1 (en) * 2022-03-03 2023-09-07 SparkCognition, Inc. Malware risk score determination
US11954209B2 (en) 2022-03-18 2024-04-09 International Business Machines Corporation Cognitive malware awareness improvement with cyclamates
CN114900330B (en) * 2022-04-07 2024-08-16 京东科技信息技术有限公司 Page protection method and device
US11620142B1 (en) 2022-06-03 2023-04-04 OneTrust, LLC Generating and customizing user interfaces for demonstrating functions of interactive user environments
CN115314255B (en) * 2022-07-11 2023-12-29 深信服科技股份有限公司 Attack result detection method, device, computer equipment and storage medium
US11811818B1 (en) 2022-10-11 2023-11-07 Second Sight Data Discovery, Inc. Apparatus and method for determining a risk associated with a cyberattack
US11824888B1 (en) 2022-12-01 2023-11-21 Second Sight Data Discovery, Inc. Apparatus and method for assessing security risk for digital resources
US11895141B1 (en) 2022-12-01 2024-02-06 Second Sight Data Discovery, Inc. Apparatus and method for analyzing organization digital security
US12056001B2 (en) 2022-12-01 2024-08-06 Second Sight Data Discovery, Inc. Apparatus and method for identifying single points of failure
US20240273214A1 (en) * 2023-02-11 2024-08-15 NormShield, Inc. Artificial-intelligence-based system and method for questionnaire / security policy cross-correlation and compliance level estimation for cyber risk assessments

Family Cites Families (126)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5917997A (en) * 1996-12-06 1999-06-29 International Business Machines Corporation Host identity takeover using virtual internet protocol (IP) addressing
US6205489B1 (en) * 1999-01-05 2001-03-20 Whowhere, Inc. Method for providing an internet protocol address with a domain name server
EP1149339A1 (en) 1998-12-09 2001-10-31 Network Ice Corporation A method and apparatus for providing network and computer system security
US6601093B1 (en) * 1999-12-01 2003-07-29 Ibm Corporation Address resolution in ad-hoc networking
US6684250B2 (en) * 2000-04-03 2004-01-27 Quova, Inc. Method and apparatus for estimating a geographic location of a networked entity
US7574740B1 (en) 2000-04-28 2009-08-11 International Business Machines Corporation Method and system for intrusion detection in a computer network
US7162649B1 (en) 2000-06-30 2007-01-09 Internet Security Systems, Inc. Method and apparatus for network assessment and authentication
US7089325B1 (en) * 2000-07-05 2006-08-08 Register.Com, Inc. Method and apparatus for URL forwarding
US7178166B1 (en) 2000-09-19 2007-02-13 Internet Security Systems, Inc. Vulnerability assessment and authentication of a computer by a local scanner
FR2816536B1 (en) 2000-11-16 2003-01-17 Snecma Moteurs METHOD AND DEVICE FOR ULTRASONIC SCRATCHING OF "AXIAL" ATTACHMENT ALVEOLS OF AUBES ON A ROTOR
US20020147676A1 (en) * 2001-04-10 2002-10-10 Rashida Karmali Computerized evaluation of risk in financing tecnologies
US20040073707A1 (en) * 2001-05-23 2004-04-15 Hughes Electronics Corporation Generating a list of network addresses for pre-loading a network address cache via multicast
US7237264B1 (en) 2001-06-04 2007-06-26 Internet Security Systems, Inc. System and method for preventing network misuse
US20030037063A1 (en) * 2001-08-10 2003-02-20 Qlinx Method and system for dynamic risk assessment, risk monitoring, and caseload management
SE0103294D0 (en) * 2001-10-04 2001-10-04 Forskarpatent I Syd Ab Lactate producing lactococcus strain
US8001271B1 (en) * 2002-10-21 2011-08-16 Arbor Networks, Inc. Method and apparatus for locating naming discrepancies
US7913303B1 (en) 2003-01-21 2011-03-22 International Business Machines Corporation Method and system for dynamically protecting a computer system from attack
US7739281B2 (en) * 2003-09-16 2010-06-15 Microsoft Corporation Systems and methods for ranking documents based upon structurally interrelated information
US20050132225A1 (en) * 2003-12-16 2005-06-16 Glenn Gearhart Method and system for cyber-security vulnerability detection and compliance measurement (CDCM)
US8856239B1 (en) * 2004-02-10 2014-10-07 Sonicwall, Inc. Message classification based on likelihood of spoofing
US7444371B2 (en) * 2004-03-11 2008-10-28 At&T Intellectual Property Ii, L.P. Method and apparatus for limiting reuse of domain name system response information
US7533416B2 (en) * 2004-04-29 2009-05-12 Microsoft Corporation Framework for protection level monitoring, reporting, and notification
KR20060000342A (en) * 2004-06-28 2006-01-06 주식회사 이지브로네트웍스 Device for enabling intra-edge routing-less premises internet protocol communication and communication method using the same
US8606613B2 (en) * 2004-10-12 2013-12-10 International Business Machines Corporation Method, system and program product for funding an outsourcing project
US7257631B2 (en) * 2005-01-31 2007-08-14 Register.Com, Inc. Domain manager and method of use
KR101154744B1 (en) * 2005-08-01 2012-06-08 엘지이노텍 주식회사 Nitride light emitting device and fabrication method thereof
US9674145B2 (en) * 2005-09-06 2017-06-06 Daniel Chien Evaluating a questionable network communication
WO2007030764A2 (en) * 2005-09-06 2007-03-15 Daniel Chien Identifying a network address source for authentication
US8621604B2 (en) * 2005-09-06 2013-12-31 Daniel Chien Evaluating a questionable network communication
US9912677B2 (en) * 2005-09-06 2018-03-06 Daniel Chien Evaluating a questionable network communication
US9015090B2 (en) * 2005-09-06 2015-04-21 Daniel Chien Evaluating a questionable network communication
US8010689B2 (en) * 2006-05-22 2011-08-30 Mcafee, Inc. Locational tagging in a capture system
US7958227B2 (en) * 2006-05-22 2011-06-07 Mcafee, Inc. Attributes of captured objects in a capture system
US20080047016A1 (en) * 2006-08-16 2008-02-21 Cybrinth, Llc CCLIF: A quantified methodology system to assess risk of IT architectures and cyber operations
US8116207B2 (en) * 2006-08-21 2012-02-14 Citrix Systems, Inc. Systems and methods for weighted monitoring of network services
US20160248813A1 (en) * 2006-08-23 2016-08-25 Threatstop, Inc. Method and system for propagating network policy
US8533822B2 (en) * 2006-08-23 2013-09-10 Threatstop, Inc. Method and system for propagating network policy
US7904456B2 (en) * 2006-09-01 2011-03-08 Robert John Hennan Security monitoring tool for computer network
US20080172738A1 (en) * 2007-01-11 2008-07-17 Cary Lee Bates Method for Detecting and Remediating Misleading Hyperlinks
US8763114B2 (en) * 2007-01-24 2014-06-24 Mcafee, Inc. Detecting image spam
US7756987B2 (en) * 2007-04-04 2010-07-13 Microsoft Corporation Cybersquatter patrol
US20080250407A1 (en) * 2007-04-05 2008-10-09 Microsoft Corporation Network group name for virtual machines
US8131745B1 (en) * 2007-04-09 2012-03-06 Rapleaf, Inc. Associating user identities with different unique identifiers
US20090024663A1 (en) * 2007-07-19 2009-01-22 Mcgovern Mark D Techniques for Information Security Assessment
US8316440B1 (en) * 2007-10-30 2012-11-20 Trend Micro, Inc. System for detecting change of name-to-IP resolution
US8171554B2 (en) * 2008-02-04 2012-05-01 Yuval Elovici System that provides early detection, alert, and response to electronic threats
US8307431B2 (en) * 2008-05-30 2012-11-06 At&T Intellectual Property I, L.P. Method and apparatus for identifying phishing websites in network traffic using generated regular expressions
US8763071B2 (en) * 2008-07-24 2014-06-24 Zscaler, Inc. Systems and methods for mobile application security classification and enforcement
US10027688B2 (en) * 2008-08-11 2018-07-17 Damballa, Inc. Method and system for detecting malicious and/or botnet-related domain names
US20090282027A1 (en) * 2008-09-23 2009-11-12 Michael Subotin Distributional Similarity Based Method and System for Determining Topical Relatedness of Domain Names
US8495719B2 (en) * 2008-10-02 2013-07-23 International Business Machines Corporation Cross-domain access prevention
US7930428B2 (en) * 2008-11-11 2011-04-19 Barracuda Networks Inc Verification of DNS accuracy in cache poisoning
US20150365305A1 (en) * 2009-04-07 2015-12-17 Verisign, Inc. Domain name system traffic analysis
US8527658B2 (en) * 2009-04-07 2013-09-03 Verisign, Inc Domain traffic ranking
JP5288204B2 (en) * 2009-08-10 2013-09-11 株式会社日立製作所 Gateway system and control method
US8412847B2 (en) * 2009-11-02 2013-04-02 Demandbase, Inc. Mapping network addresses to organizations
US9015318B1 (en) * 2009-11-18 2015-04-21 Cisco Technology, Inc. System and method for inspecting domain name system flows in a network environment
WO2011063269A1 (en) * 2009-11-20 2011-05-26 Alert Enterprise, Inc. Method and apparatus for risk visualization and remediation
US20140098955A1 (en) 2009-12-15 2014-04-10 Los Alamos National Security, Llc Quantum enabled security for optical communications
US8321551B2 (en) * 2010-02-02 2012-11-27 Symantec Corporation Using aggregated DNS information originating from multiple sources to detect anomalous DNS name resolutions
US20110235631A1 (en) * 2010-03-24 2011-09-29 Avaya Inc. Method and apparatus for automatic verification of telephone number mapping
US8375427B2 (en) * 2010-04-21 2013-02-12 International Business Machines Corporation Holistic risk-based identity establishment for eligibility determinations in context of an application
US8326980B2 (en) * 2010-04-28 2012-12-04 Microsoft Corporation Using DNS reflection to measure network performance
US8510411B2 (en) * 2010-05-06 2013-08-13 Desvio, Inc. Method and system for monitoring and redirecting HTTP requests away from unintended web sites
AU2011253359A1 (en) * 2010-05-13 2013-01-10 Northwestern University Geographic location system and method
US8621638B2 (en) * 2010-05-14 2013-12-31 Mcafee, Inc. Systems and methods for classification of messaging entities
US20130254179A1 (en) * 2010-06-19 2013-09-26 Brand Enforcement Services Limited Systems and methods for brand enforcement
US8904541B2 (en) * 2010-08-26 2014-12-02 Salesforce.Com, Inc. Performing security assessments in an online services system
US10805331B2 (en) * 2010-09-24 2020-10-13 BitSight Technologies, Inc. Information technology security assessment system
US20120089745A1 (en) * 2010-10-06 2012-04-12 Bhavin Turakhia Computer enabled method and system for associating an ip address to a domain name
TW201230741A (en) * 2011-01-07 2012-07-16 Nat Univ Tsing Hua Method and system for preventing domain name system cache poisoning attacks
US8621637B2 (en) * 2011-01-10 2013-12-31 Saudi Arabian Oil Company Systems, program product and methods for performing a risk assessment workflow process for plant networks and systems
US9065850B1 (en) * 2011-02-07 2015-06-23 Zscaler, Inc. Phishing detection systems and methods
US9547998B2 (en) 2011-04-08 2017-01-17 Wombat Security Technologies, Inc. Context-aware training systems, apparatuses, and methods
US9558677B2 (en) 2011-04-08 2017-01-31 Wombat Security Technologies, Inc. Mock attack cybersecurity training system and methods
US9373267B2 (en) 2011-04-08 2016-06-21 Wombat Security Technologies, Inc. Method and system for controlling context-aware cybersecurity training
US9118702B2 (en) * 2011-05-31 2015-08-25 Bce Inc. System and method for generating and refining cyber threat intelligence data
US10742591B2 (en) * 2011-07-06 2020-08-11 Akamai Technologies Inc. System for domain reputation scoring
US9811667B2 (en) * 2011-09-21 2017-11-07 Mcafee, Inc. System and method for grouping computer vulnerabilities
EP2592814A1 (en) * 2011-11-08 2013-05-15 VeriSign, Inc. System and method for detecting DNS traffic anomalies
KR101586469B1 (en) * 2012-02-01 2016-02-02 엠파이어 테크놀로지 디벨롭먼트 엘엘씨 Preventing cloud cartography
US9172591B2 (en) * 2012-02-06 2015-10-27 Deepfield Networks System and method for management of cloud-based systems
US20130253979A1 (en) * 2012-03-13 2013-09-26 Pacific Gas And Electric Company Objectively managing risk
TWI478561B (en) * 2012-04-05 2015-03-21 Inst Information Industry Domain tracing method and system and computer-readable storage medium storing the method
US8954573B2 (en) * 2012-04-11 2015-02-10 Mcafee Inc. Network address repository management
US8955036B2 (en) * 2012-04-11 2015-02-10 Mcafee, Inc. System asset repository management
US8726393B2 (en) * 2012-04-23 2014-05-13 Abb Technology Ag Cyber security analyzer
US8825662B1 (en) * 2012-04-24 2014-09-02 Semcasting, Inc. System and method for creating customized IP zones utilizing predictive modeling
US8813235B2 (en) * 2012-08-10 2014-08-19 Nopsec Inc. Expert system for detecting software security threats
US9294433B1 (en) * 2012-11-02 2016-03-22 8X8, Inc. Multiple-master DNS system
US20140137190A1 (en) * 2012-11-09 2014-05-15 Rapid7, Inc. Methods and systems for passively detecting security levels in client devices
US20140137257A1 (en) * 2012-11-12 2014-05-15 Board Of Regents, The University Of Texas System System, Method and Apparatus for Assessing a Risk of One or More Assets Within an Operational Technology Infrastructure
US9177139B2 (en) 2012-12-30 2015-11-03 Honeywell International Inc. Control system cyber security
US9749336B1 (en) * 2013-02-26 2017-08-29 Palo Alto Networks, Inc. Malware domain detection using passive DNS
US9425966B1 (en) * 2013-03-14 2016-08-23 Amazon Technologies, Inc. Security mechanism evaluation service
US9197487B2 (en) * 2013-03-15 2015-11-24 Verisign, Inc. High performance DNS traffic management
US8914883B2 (en) * 2013-05-03 2014-12-16 Fortinet, Inc. Securing email communications
US20140344008A1 (en) * 2013-05-20 2014-11-20 Vmware, Inc. Strategic planning process for end user computing
US9215226B2 (en) * 2013-07-24 2015-12-15 Adobe Systems Incorporated Dynamically mapping users to groups
US20150032905A1 (en) * 2013-07-24 2015-01-29 Qualcomm Incorporated Method and system for associating internet protocol (ip) address, media access control (mac) address and location for a user device
US20150039599A1 (en) * 2013-08-01 2015-02-05 Go Daddy Operating Company, LLC Methods and systems for recommending top level and second level domains
US10084791B2 (en) * 2013-08-14 2018-09-25 Daniel Chien Evaluating a questionable network communication
CN104427011B (en) * 2013-09-02 2019-03-22 中兴通讯股份有限公司 The method and domain name cache server of domain name mapping
US9438615B2 (en) * 2013-09-09 2016-09-06 BitSight Technologies, Inc. Security risk management
US20150106260A1 (en) * 2013-10-11 2015-04-16 G2 Web Services System and methods for global boarding of merchants
US9319421B2 (en) * 2013-10-14 2016-04-19 Ut-Battelle, Llc Real-time detection and classification of anomalous events in streaming data
US9049221B1 (en) * 2013-11-12 2015-06-02 Emc Corporation Detecting suspicious web traffic from an enterprise network
US9191403B2 (en) * 2014-01-07 2015-11-17 Fair Isaac Corporation Cyber security adaptive analytics threat monitoring system and method
US9832217B2 (en) * 2014-03-13 2017-11-28 International Business Machines Corporation Computer implemented techniques for detecting, investigating and remediating security violations to IT infrastructure
US10164846B2 (en) * 2014-03-28 2018-12-25 Fortinet, Inc. Network flow analysis
US20150350229A1 (en) * 2014-05-29 2015-12-03 Singularity Networks, Inc. Network Threat Detection and Mitigation Using a Domain Name Service and Network Transaction Data
US10474820B2 (en) * 2014-06-17 2019-11-12 Hewlett Packard Enterprise Development Lp DNS based infection scores
US10432576B2 (en) * 2014-06-19 2019-10-01 Instart Logic, Inc. User device to domain name resolver mapping
US10469514B2 (en) * 2014-06-23 2019-11-05 Hewlett Packard Enterprise Development Lp Collaborative and adaptive threat intelligence for computer security
US10212176B2 (en) * 2014-06-23 2019-02-19 Hewlett Packard Enterprise Development Lp Entity group behavior profiling
US9565204B2 (en) * 2014-07-18 2017-02-07 Empow Cyber Security Ltd. Cyber-security system and methods thereof
US9942250B2 (en) * 2014-08-06 2018-04-10 Norse Networks, Inc. Network appliance for dynamic protection from risky network activities
US9954815B2 (en) * 2014-09-15 2018-04-24 Nxp Usa, Inc. Domain name collaboration service using domain name dependency server
US10097403B2 (en) * 2014-09-16 2018-10-09 CloudGenix, Inc. Methods and systems for controller-based data forwarding rules without routing protocols
US10290001B2 (en) * 2014-10-28 2019-05-14 Brighterion, Inc. Data breach detection
US20160127408A1 (en) * 2014-10-31 2016-05-05 NxLabs Limited Determining vulnerability of a website to security threats
US9509764B1 (en) * 2014-11-21 2016-11-29 Instart Logic, Inc. Updating cached web content
US9787634B1 (en) * 2014-12-12 2017-10-10 Go Daddy Operating Company, LLC Suggesting domain names based on recognized user patterns
US9990432B1 (en) * 2014-12-12 2018-06-05 Go Daddy Operating Company, LLC Generic folksonomy for concept-based domain name searches
US10467536B1 (en) * 2014-12-12 2019-11-05 Go Daddy Operating Company, LLC Domain name generation and ranking
US9501647B2 (en) * 2014-12-13 2016-11-22 Security Scorecard, Inc. Calculating and benchmarking an entity's cybersecurity risk score

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10491620B2 (en) * 2014-12-13 2019-11-26 SecurityScorecare, Inc. Entity IP mapping
CN109005118A (en) * 2018-08-21 2018-12-14 中国平安人寿保险股份有限公司 Search method, apparatus, computer equipment and the storage medium of CDN source station address

Also Published As

Publication number Publication date
US10491619B2 (en) 2019-11-26
US9294498B1 (en) 2016-03-22
US20210176267A1 (en) 2021-06-10
US20200228563A1 (en) 2020-07-16
US20160248797A1 (en) 2016-08-25
US20240171604A1 (en) 2024-05-23
US20160259945A1 (en) 2016-09-08
US20160171415A1 (en) 2016-06-16
US11451572B2 (en) 2022-09-20
US20190207972A1 (en) 2019-07-04
US10498756B2 (en) 2019-12-03
US11916952B2 (en) 2024-02-27
US20210176270A1 (en) 2021-06-10
US20230275919A1 (en) 2023-08-31
US20200021612A1 (en) 2020-01-16
US20200092320A1 (en) 2020-03-19
US10230753B2 (en) 2019-03-12
US20160173522A1 (en) 2016-06-16
US9501647B2 (en) 2016-11-22
US20160173521A1 (en) 2016-06-16
US11336677B2 (en) 2022-05-17
US9641547B2 (en) 2017-05-02
US10931704B2 (en) 2021-02-23
US20170048267A1 (en) 2017-02-16
US10491620B2 (en) 2019-11-26
US11785037B2 (en) 2023-10-10
US11750637B2 (en) 2023-09-05
US20170171237A1 (en) 2017-06-15
US20200358808A1 (en) 2020-11-12
US20220030024A1 (en) 2022-01-27
US20200137106A1 (en) 2020-04-30
US9372994B1 (en) 2016-06-21
US12041073B2 (en) 2024-07-16
US10560474B2 (en) 2020-02-11
US20240007496A1 (en) 2024-01-04
US11140192B2 (en) 2021-10-05
US10848517B1 (en) 2020-11-24
US20240340304A1 (en) 2024-10-10

Similar Documents

Publication Publication Date Title
US12041073B2 (en) Entity IP mapping
US11343269B2 (en) Techniques for detecting domain threats
US10587646B2 (en) Analyzing DNS requests for anomaly detection
WO2015051720A1 (en) Method and device for detecting suspicious dns, and method and system for processing suspicious dns
US9473516B1 (en) Detecting network attacks based on a hash
US20120180125A1 (en) Method and system for preventing domain name system cache poisoning attacks

Legal Events

Date Code Title Description
AS Assignment

Owner name: SECURITY SCORECARD, INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YAMPOLSKIY, ALEKSANDR;KASSOUMEH, SAMUEL;CHOE, DANIEL;REEL/FRAME:035688/0020

Effective date: 20141222

Owner name: SECURITY SCORECARD, INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YAMPOLSKIY, ALEKSANDR;BLACKIN, ROB;KASSOUMEH, SAMUEL;REEL/FRAME:035687/0980

Effective date: 20141222

Owner name: SECURITY SCORECARD, NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MATVIKO, NICK;REEL/FRAME:035688/0029

Effective date: 20150511

Owner name: SECURITY SCORECARD, INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YAMPOLSKIY, ALEKSANDR;BLACKIN, ROB;HEID, ALEXANDER;REEL/FRAME:035687/0941

Effective date: 20141222

STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
AS Assignment

Owner name: SECURITYSCORECARD, INC., NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME PREVIOUSLY RECORDED AT REEL: 035687 FRAME: 0980. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNORS:YAMPOLSKIY, ALEKSANDR;BLACKIN, ROB;KASSOUMEH, SAMUEL;REEL/FRAME:043990/0088

Effective date: 20141222

Owner name: SECURITYSCORECARD, INC., NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME PREVIOUSLY RECORDED ON REEL 035687 FRAME 0941. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNORS:YAMPOLSKIY, ALEKSANDR;BLACKIN, ROB;HEID, ALEXANDER;REEL/FRAME:043989/0810

Effective date: 20141222

AS Assignment

Owner name: SECURITYSCORECARD, INC., NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME PREVIOUSLY RECORDED AT REEL: 035688 FRAME: 0029. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:MATVIKO, NICK;REEL/FRAME:044003/0300

Effective date: 20150511

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 4

AS Assignment

Owner name: SECURITYSCORECARD, INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MATVIKO, NICK;REEL/FRAME:051612/0493

Effective date: 20150511

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:SECURITYSCORECARD, INC.;REEL/FRAME:057514/0519

Effective date: 20210917

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 8

AS Assignment

Owner name: FIRST-CITIZENS BANK & TRUST COMPANY, CALIFORNIA

Free format text: SECURITY INTEREST;ASSIGNOR:SECURITYSCORECARD, INC.;REEL/FRAME:067711/0635

Effective date: 20240607

AS Assignment

Owner name: SECURITYSCORECARD, INC., NEW YORK

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:068631/0463

Effective date: 20240606